You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Sebastian Hennebrüder <he...@laliluna.de> on 2009/08/25 16:25:42 UTC
Security issue with access control documentation in Wiki
Hello,
the examples in the Wiki uses either a request filter or a request
dispatcher. Both solutions extract the page name in order to check if
there are any restrictions. This code orginally comes from the
PageRenderDispatcher.
String pageName;
String path = request.getPath();
int nextslashx = path.length();
while (true) {
pageName = path.substring(1, nextslashx);
if (!pageName.endsWith("/") &&
componentClassResolver.isPageName(pageName))
break;
nextslashx = path.lastIndexOf('/', nextslashx - 1);
if (nextslashx <= 1) {
pageName = null;
break;
}
}
return pageName;
The issue with this approach is that Component events are not validated.
If I submit a form, the complete form processing can happen without any
security validation.
the submit sends a URL like mypage.myform.form This kind of URL is not
resolved to a page and as a consequence no validaton takes place.
A correct implementation needs to implement the page name extraction as
done in ComponentEventLinkEncoderImpl.decodeComponentEventRequest and as
in the decodePageRenderRequest method of the same class.
In addition a Dispatcher implementation needs to take care that it is
called before the ComponentDispatcher.
The following documentation is affected
http://wiki.apache.org/tapestry/Tapestry5HowToCreateADispatcher
http://wiki.apache.org/tapestry/Tapestry5HowToCreateADispatcher2
http://wiki.apache.org/tapestry/Tapestry5HowToControlAccess
I haven't checked the Acegi Integration howtos.
Can someone please validate this? I think we need to provide either a
service to decode page names or at least show how to do it properly.
--
Best Regards / Viele Grüße
Sebastian Hennebrueder
-----
http://www.laliluna.de
Laliluna.de, Berliner Strasse 22, 61118 Bad Vilbel, Germany
* Java Software Development, Support
* Training for Hibernate, EJB3 and Spring
* Tutorials for JSP, JavaServer Faces, Struts, Hibernate and EJB
Re: Security issue with access control documentation in Wiki
Posted by Sebastian Hennebrueder <us...@laliluna.de>.
Thiago H. de Paula Figueiredo schrieb:
> Em Tue, 25 Aug 2009 11:33:18 -0300, Sebastian Hennebrueder
> <us...@laliluna.de> escreveu:
>
>> But it is an internal service which are from my understanding
>> discouraged to use.
>
> ComponentEventLinkEncoder isn't internal, as it's in the
> org.apache.tapestry5.services package. Only classes and interfaces in
> packages named "internal" are internal.
>
Yes, this is correct. I accidentally looked into the implementations
package name.
--
Best Regards / Viele Grüße
Sebastian Hennebrueder
-----
Software Developer and Trainer for Hibernate / Java Persistence
http://www.laliluna.de
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Security issue with access control documentation in Wiki
Posted by "Thiago H. de Paula Figueiredo" <th...@gmail.com>.
Em Tue, 25 Aug 2009 11:33:18 -0300, Sebastian Hennebrueder
<us...@laliluna.de> escreveu:
> But it is an internal service which are from my understanding
> discouraged to use.
ComponentEventLinkEncoder isn't internal, as it's in the
org.apache.tapestry5.services package. Only classes and interfaces in
packages named "internal" are internal.
--
Thiago H. de Paula Figueiredo
Independent Java consultant, developer, and instructor
http://www.arsmachina.com.br/thiago
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Security issue with access control documentation in Wiki
Posted by Sebastian Hennebrueder <us...@laliluna.de>.
Thiago H. de Paula Figueiredo schrieb:
> Em Tue, 25 Aug 2009 11:25:42 -0300, Sebastian HennebrŸüder
> <he...@laliluna.de> escreveu:
>
>> Hello,
>
> Hi!
>
>> A correct implementation needs to implement the page name extraction as
>> done in ComponentEventLinkEncoderImpl.decodeComponentEventRequest and as
>> in the decodePageRenderRequest method of the same class.
>
> Why don't a correct implementation just inject ComponentEventLinkEncoder
> and use its methods? That's exactly what I do.
>
>> The following documentation is affected
>> http://wiki.apache.org/tapestry/Tapestry5HowToCreateADispatcher
>> http://wiki.apache.org/tapestry/Tapestry5HowToCreateADispatcher2
>> http://wiki.apache.org/tapestry/Tapestry5HowToControlAccess
>
> These examples were written before ComponentEventLinkEncoder existed, so
> everyone is invited to update the wiki pages. :)
>
>> Can someone please validate this? I think we need to provide either a
>> service to decode page names or at least show how to do it properly.
>
> ComponentEventLinkEncoder already does that.
>
But it is an internal service which are from my understanding
discouraged to use.
Best Regards
Sebastian
--
Best Regards / Viele Grüße
Sebastian Hennebrueder
-----
Software Developer and Trainer for Hibernate / Java Persistence
http://www.laliluna.de
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Security issue with access control documentation in Wiki
Posted by "Thiago H. de Paula Figueiredo" <th...@gmail.com>.
Em Tue, 25 Aug 2009 11:25:42 -0300, Sebastian HennebrŸüder
<he...@laliluna.de> escreveu:
> Hello,
Hi!
> A correct implementation needs to implement the page name extraction as
> done in ComponentEventLinkEncoderImpl.decodeComponentEventRequest and as
> in the decodePageRenderRequest method of the same class.
Why don't a correct implementation just inject ComponentEventLinkEncoder
and use its methods? That's exactly what I do.
> The following documentation is affected
> http://wiki.apache.org/tapestry/Tapestry5HowToCreateADispatcher
> http://wiki.apache.org/tapestry/Tapestry5HowToCreateADispatcher2
> http://wiki.apache.org/tapestry/Tapestry5HowToControlAccess
These examples were written before ComponentEventLinkEncoder existed, so
everyone is invited to update the wiki pages. :)
> Can someone please validate this? I think we need to provide either a
> service to decode page names or at least show how to do it properly.
ComponentEventLinkEncoder already does that.
--
Thiago H. de Paula Figueiredo
Independent Java consultant, developer, and instructor
http://www.arsmachina.com.br/thiago
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org