You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@shale.apache.org by "Craig McClanahan (JIRA)" <ji...@apache.org> on 2006/11/29 21:02:57 UTC
[jira] Created: (SHALE-344) Remoting does not provide configurable
limiting of exposed resources
Remoting does not provide configurable limiting of exposed resources
--------------------------------------------------------------------
Key: SHALE-344
URL: http://issues.apache.org/struts/browse/SHALE-344
Project: Shale
Issue Type: Bug
Components: Remoting
Reporter: Craig McClanahan
Shale Remoting's current Processor implementations provide limited hard coded limitations on what resources may be accessed (cannot download classpath resources named "*.class", cannot download webapp resources named "/WEB-INF/*"), but they need to provide configurable settings for more fine grain control. In addition, reasonably secure defaults should be provided.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/struts/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Resolved: (SHALE-344) Remoting does not provide configurable
limiting of exposed resources
Posted by "Craig McClanahan (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/struts/browse/SHALE-344?page=all ]
Craig McClanahan resolved SHALE-344.
------------------------------------
Fix Version/s: 1.0.4-SNAPSHOT
(was: TBD)
Resolution: Fixed
Tightened up default rules for the "dynamic" (map to method binding) processor, and made any user specified "excludes" list *add to* rather than replace the default excludes. With this, I'm declaring this to be fixed for 1.0.4.
> Remoting does not provide configurable limiting of exposed resources
> --------------------------------------------------------------------
>
> Key: SHALE-344
> URL: http://issues.apache.org/struts/browse/SHALE-344
> Project: Shale
> Issue Type: Bug
> Components: Remoting
> Reporter: Craig McClanahan
> Assigned To: Craig McClanahan
> Fix For: 1.0.4-SNAPSHOT
>
>
> Shale Remoting's current Processor implementations provide limited hard coded limitations on what resources may be accessed (cannot download classpath resources named "*.class", cannot download webapp resources named "/WEB-INF/*"), but they need to provide configurable settings for more fine grain control. In addition, reasonably secure defaults should be provided.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/struts/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (SHALE-344) Remoting does not provide
configurable limiting of exposed resources
Posted by "Craig McClanahan (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/struts/browse/SHALE-344?page=comments#action_38925 ]
Craig McClanahan commented on SHALE-344:
----------------------------------------
I've checked in code that makes it possible to filter what resource ids a particular processor will provide (excluded resources return a 404 to provide no information on whether a resource id is nonexistent, or whether it exists but access is being denied). The "out of the box" configuration for classpath resources and webapp resources now prevents access to things like "*.properties".
Still need to add documentation to the website for configuring these restrictions, and to decide what defaults should be defined for the "dynamic" processor that maps resource ids to a public method on a managed bean.
The new code will be available in the 20061201 nightly build, and in the 1.0.4 release when it occurs.
> Remoting does not provide configurable limiting of exposed resources
> --------------------------------------------------------------------
>
> Key: SHALE-344
> URL: http://issues.apache.org/struts/browse/SHALE-344
> Project: Shale
> Issue Type: Bug
> Components: Remoting
> Reporter: Craig McClanahan
> Assigned To: Craig McClanahan
>
> Shale Remoting's current Processor implementations provide limited hard coded limitations on what resources may be accessed (cannot download classpath resources named "*.class", cannot download webapp resources named "/WEB-INF/*"), but they need to provide configurable settings for more fine grain control. In addition, reasonably secure defaults should be provided.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/struts/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Assigned: (SHALE-344) Remoting does not provide configurable
limiting of exposed resources
Posted by "Craig McClanahan (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/struts/browse/SHALE-344?page=all ]
Craig McClanahan reassigned SHALE-344:
--------------------------------------
Assignee: Craig McClanahan
> Remoting does not provide configurable limiting of exposed resources
> --------------------------------------------------------------------
>
> Key: SHALE-344
> URL: http://issues.apache.org/struts/browse/SHALE-344
> Project: Shale
> Issue Type: Bug
> Components: Remoting
> Reporter: Craig McClanahan
> Assigned To: Craig McClanahan
>
> Shale Remoting's current Processor implementations provide limited hard coded limitations on what resources may be accessed (cannot download classpath resources named "*.class", cannot download webapp resources named "/WEB-INF/*"), but they need to provide configurable settings for more fine grain control. In addition, reasonably secure defaults should be provided.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/struts/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira