You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tapestry.apache.org by Sebastian Hennebrüder <he...@laliluna.de> on 2009/08/25 16:25:42 UTC

Security issue with access control documentation in Wiki

Hello,

the examples in the Wiki uses either a request filter or a request 
dispatcher. Both solutions extract the page name in order to check if 
there are any restrictions. This code orginally comes from the 
PageRenderDispatcher.

String pageName;
        String path = request.getPath();
        int nextslashx = path.length();

        while (true) {
            pageName = path.substring(1, nextslashx);
            if (!pageName.endsWith("/") && 
componentClassResolver.isPageName(pageName))
                break;
            nextslashx = path.lastIndexOf('/', nextslashx - 1);
            if (nextslashx <= 1) {
                pageName = null;
                break;
            }

        }
        return pageName;


The issue with this approach is that Component events are not validated. 
If I submit a form, the complete form processing can happen without any 
security validation.
the submit sends a URL like mypage.myform.form This kind of URL is not 
resolved to a page and as a consequence no validaton takes place.

A correct implementation needs to implement the page name extraction as 
done in ComponentEventLinkEncoderImpl.decodeComponentEventRequest and as 
in the decodePageRenderRequest method of the same class.
In addition a Dispatcher implementation needs to take care that it is 
called before the ComponentDispatcher.

The following documentation is affected
http://wiki.apache.org/tapestry/Tapestry5HowToCreateADispatcher
http://wiki.apache.org/tapestry/Tapestry5HowToCreateADispatcher2
http://wiki.apache.org/tapestry/Tapestry5HowToControlAccess

I haven't checked the Acegi Integration howtos.

Can someone please validate this? I think we need to provide either a 
service to decode page names or at least show how to do it properly.

-- 
Best Regards / Viele Grüße

Sebastian Hennebrueder

-----
http://www.laliluna.de
Laliluna.de, Berliner Strasse 22, 61118 Bad Vilbel, Germany

* Java Software Development, Support
* Training for Hibernate, EJB3 and Spring
* Tutorials for JSP, JavaServer Faces, Struts, Hibernate and EJB

Re: Security issue with access control documentation in Wiki

Posted by Sebastian Hennebrueder <us...@laliluna.de>.

Thiago H. de Paula Figueiredo schrieb:
> Em Tue, 25 Aug 2009 11:33:18 -0300, Sebastian Hennebrueder 
> <us...@laliluna.de> escreveu:
> 
>> But it is an internal service which are from my understanding 
>> discouraged to use.
> 
> ComponentEventLinkEncoder isn't internal, as it's in the 
> org.apache.tapestry5.services package. Only classes and interfaces in 
> packages named "internal" are internal.
> 

Yes, this is correct. I accidentally looked into the implementations 
package name.

-- 
Best Regards / Viele Grüße

Sebastian Hennebrueder
-----
Software Developer and Trainer for Hibernate / Java Persistence
http://www.laliluna.de



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: Security issue with access control documentation in Wiki

Posted by "Thiago H. de Paula Figueiredo" <th...@gmail.com>.

Em Tue, 25 Aug 2009 11:33:18 -0300, Sebastian Hennebrueder  
<us...@laliluna.de> escreveu:

> But it is an internal service which are from my understanding  
> discouraged to use.

ComponentEventLinkEncoder isn't internal, as it's in the  
org.apache.tapestry5.services package. Only classes and interfaces in  
packages named "internal" are internal.

-- 
Thiago H. de Paula Figueiredo
Independent Java consultant, developer, and instructor
http://www.arsmachina.com.br/thiago

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: Security issue with access control documentation in Wiki

Posted by Sebastian Hennebrueder <us...@laliluna.de>.

Thiago H. de Paula Figueiredo schrieb:
> Em Tue, 25 Aug 2009 11:25:42 -0300, Sebastian HennebrŸüder 
> <he...@laliluna.de> escreveu:
> 
>> Hello,
> 
> Hi!
> 
>> A correct implementation needs to implement the page name extraction as
>> done in ComponentEventLinkEncoderImpl.decodeComponentEventRequest and as
>> in the decodePageRenderRequest method of the same class.
> 
> Why don't a correct implementation just inject ComponentEventLinkEncoder 
> and use its methods? That's exactly what I do.
> 
>> The following documentation is affected
>> http://wiki.apache.org/tapestry/Tapestry5HowToCreateADispatcher
>> http://wiki.apache.org/tapestry/Tapestry5HowToCreateADispatcher2
>> http://wiki.apache.org/tapestry/Tapestry5HowToControlAccess
> 
> These examples were written before ComponentEventLinkEncoder existed, so 
> everyone is invited to update the wiki pages. :)
> 
>> Can someone please validate this? I think we need to provide either a
>> service to decode page names or at least show how to do it properly.
> 
> ComponentEventLinkEncoder already does that.
> 

But it is an internal service which are from my understanding 
discouraged to use.

Best Regards

Sebastian


-- 
Best Regards / Viele Grüße

Sebastian Hennebrueder
-----
Software Developer and Trainer for Hibernate / Java Persistence
http://www.laliluna.de



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: Security issue with access control documentation in Wiki

Posted by "Thiago H. de Paula Figueiredo" <th...@gmail.com>.

Em Tue, 25 Aug 2009 11:25:42 -0300, Sebastian HennebrŸüder  
<he...@laliluna.de> escreveu:

> Hello,

Hi!

> A correct implementation needs to implement the page name extraction as
> done in ComponentEventLinkEncoderImpl.decodeComponentEventRequest and as
> in the decodePageRenderRequest method of the same class.

Why don't a correct implementation just inject ComponentEventLinkEncoder  
and use its methods? That's exactly what I do.

> The following documentation is affected
> http://wiki.apache.org/tapestry/Tapestry5HowToCreateADispatcher
> http://wiki.apache.org/tapestry/Tapestry5HowToCreateADispatcher2
> http://wiki.apache.org/tapestry/Tapestry5HowToControlAccess

These examples were written before ComponentEventLinkEncoder existed, so  
everyone is invited to update the wiki pages. :)

> Can someone please validate this? I think we need to provide either a
> service to decode page names or at least show how to do it properly.

ComponentEventLinkEncoder already does that.

-- 
Thiago H. de Paula Figueiredo
Independent Java consultant, developer, and instructor
http://www.arsmachina.com.br/thiago

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org