You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Kalle Korhonen <ka...@gmail.com> on 2016/05/31 08:13:50 UTC
tapestry-security 0.6.4 release addresses a serious vulnerability
While the Apache Shiro team (me included) are still mulling over how to
best fix a serious security vulnerability with Shiro's default rememberMe
cookies and object deserialization [SHIRO-550](
https://issues.apache.org/jira/browse/SHIRO-550), I went ahead and
implemented a fix for the vulnerability in [tapestry-security](
http://www.tynamo.org/tapestry-security+guide/), following a similar
approach I had proposed for Shiro as well. In essence, an attacker can
potentially gain access to the server using a deserialization vulnerability
(see more at
https://www.contrastsecurity.com/security-influencers/java-serialization-vulnerability-threatens-millions-of-applications
). It's a bit more convoluted for Shiro in general, but once again, service
contributions make this a simple matter to handle in Tapestry. In 0.6.4 of
tapestry-security, only known principal types can be deserialized. *Long*,
*Integer* and *String* (which likely cover 99% of the use cases) are
sanctioned by default and users can easily contribute additional principal
types to the org.apache.shiro.io.Serializer service, for example:
```
@Contribute(Serializer.class)
public static void addSafePrincipalTypes(Configuration<Class>
configuration) {
configuration.add(UID.class);
}
```
You are advised to update immediately. Currently the fix is only available
for Tapestry 5.4 but I'll make other releases available as requested. You
can also easily copy the relevant classes from the [source tree](
https://github.com/tynamo/tapestry-security/blob/master/src/main/java/org/tynamo/security/shiro/SimplePrincipalSerializer.java)
and override services as needed in your application.
**Release notes**
- Upgrade Shiro to 1.2.5 [#26](
https://github.com/tynamo/tapestry-security/issues/26)
- Safely deserialize principals from rememberMe cookie [#27](
https://github.com/tynamo/tapestry-security/issues/27)
- Update to Tapestry 5.4.1 [#28](
https://github.com/tynamo/tapestry-security/issues/28)