You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by dj...@apache.org on 2008/01/10 02:04:22 UTC
svn commit: r610624 - in /geronimo/server/trunk:
framework/modules/geronimo-deployment/src/main/java/org/apache/geronimo/deployment/xmlbeans/
plugins/j2ee/geronimo-naming-builder/src/main/xsd/
plugins/j2ee/geronimo-security-builder/src/main/xsd/ plugin...
Author: djencks
Date: Wed Jan 9 17:03:50 2008
New Revision: 610624
URL: http://svn.apache.org/viewvc?rev=610624&view=rev
Log:
GERONIMO-3738 Expose new compactPath (or, expose security vulns) jetty parameter
Added:
geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-2.0.2.xsd (contents, props changed)
- copied, changed from r610611, geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-2.0.1.xsd
geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-config-1.0.1.xsd (contents, props changed)
- copied, changed from r610611, geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-config-1.0.xsd
Removed:
geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-2.0.1.xsd
geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-config-1.0.xsd
Modified:
geronimo/server/trunk/framework/modules/geronimo-deployment/src/main/java/org/apache/geronimo/deployment/xmlbeans/XmlBeansUtil.java
geronimo/server/trunk/plugins/j2ee/geronimo-naming-builder/src/main/xsd/geronimo-naming-1.2.xsd
geronimo/server/trunk/plugins/j2ee/geronimo-security-builder/src/main/xsd/geronimo-security-1.2.xsd
geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/java/org/apache/geronimo/jetty6/deployment/JettyModuleBuilder.java
geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsdconfig/xmlconfig.xml
geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/test/resources/plans/plan4-converted.xml
geronimo/server/trunk/plugins/jetty/geronimo-jetty6/src/main/java/org/apache/geronimo/jetty6/JettyWebAppContext.java
geronimo/server/trunk/plugins/jetty/geronimo-jetty6/src/test/java/org/apache/geronimo/jetty6/AbstractWebModuleTest.java
Modified: geronimo/server/trunk/framework/modules/geronimo-deployment/src/main/java/org/apache/geronimo/deployment/xmlbeans/XmlBeansUtil.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/framework/modules/geronimo-deployment/src/main/java/org/apache/geronimo/deployment/xmlbeans/XmlBeansUtil.java?rev=610624&r1=610623&r2=610624&view=diff
==============================================================================
--- geronimo/server/trunk/framework/modules/geronimo-deployment/src/main/java/org/apache/geronimo/deployment/xmlbeans/XmlBeansUtil.java (original)
+++ geronimo/server/trunk/framework/modules/geronimo-deployment/src/main/java/org/apache/geronimo/deployment/xmlbeans/XmlBeansUtil.java Wed Jan 9 17:03:50 2008
@@ -71,10 +71,12 @@
NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/j2ee/web-1.2", "http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1");
NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/j2ee/web-2.0", "http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1");
NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/web/jetty", "http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0.1");
- NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/j2ee/web/jetty-1.1", "http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0.1");
- NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/j2ee/web/jetty-1.2", "http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0.1");
- NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0", "http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0.1");
- NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/web/jetty/config", "http://geronimo.apache.org/xml/ns/j2ee/web/jetty/config-1.0");
+ NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/j2ee/web/jetty-1.1", "http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0.2");
+ NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/j2ee/web/jetty-1.2", "http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0.2");
+ NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0", "http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0.2");
+ NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0.1", "http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0.2");
+ NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/web/jetty/config", "http://geronimo.apache.org/xml/ns/j2ee/web/jetty/config-1.0.1");
+ NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/web/jetty/config-1.0", "http://geronimo.apache.org/xml/ns/j2ee/web/jetty/config-1.0.1");
NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/web/tomcat", "http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-2.0.1");
NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.1", "http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-2.0.1");
NAMESPACE_UPDATES.put("http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-1.2", "http://geronimo.apache.org/xml/ns/j2ee/web/tomcat-2.0.1");
Modified: geronimo/server/trunk/plugins/j2ee/geronimo-naming-builder/src/main/xsd/geronimo-naming-1.2.xsd
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-naming-builder/src/main/xsd/geronimo-naming-1.2.xsd?rev=610624&r1=610623&r2=610624&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/j2ee/geronimo-naming-builder/src/main/xsd/geronimo-naming-1.2.xsd (original)
+++ geronimo/server/trunk/plugins/j2ee/geronimo-naming-builder/src/main/xsd/geronimo-naming-1.2.xsd Wed Jan 9 17:03:50 2008
@@ -29,7 +29,7 @@
schema will never be used directly but its elements are used in
geronimo-application-client-2.0.xsd, geronimo-connector-1.2.xsd,
geronimo-web-2.0.1.xsd, geronimo-tomcat-2.0.1.xsd, and
- geronimo-jetty-2.0.1.xsd. All the schema's or plans using elements of
+ geronimo-jetty-2.0.2.xsd. All the schema's or plans using elements of
this schema must specify the top level element with one of the
namespace specified as
"http://geronimo.apache.org/xml/ns/j2ee/naming-1.2". The default
Modified: geronimo/server/trunk/plugins/j2ee/geronimo-security-builder/src/main/xsd/geronimo-security-1.2.xsd
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/j2ee/geronimo-security-builder/src/main/xsd/geronimo-security-1.2.xsd?rev=610624&r1=610623&r2=610624&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/j2ee/geronimo-security-builder/src/main/xsd/geronimo-security-1.2.xsd (original)
+++ geronimo/server/trunk/plugins/j2ee/geronimo-security-builder/src/main/xsd/geronimo-security-1.2.xsd Wed Jan 9 17:03:50 2008
@@ -32,7 +32,7 @@
elements. This schema will never be used directly but its elements
are used in geronimo-application-client-2.0.xsd,
geronimo-connector-1.2.xsd, geronimo-web-2.0.1.xsd,
- geronimo-tomcat-2.0.1.xsd, and geronimo-jetty-2.0.1.xsd. All the schemas
+ geronimo-tomcat-2.0.1.xsd, and geronimo-jetty-2.0.2.xsd. All the schemas
or plans using elements of this schema must specify the top level
element with one of the namespace specified as
"http://geronimo.apache.org/xml/ns/j2ee/security-1.2". The default
Modified: geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/java/org/apache/geronimo/jetty6/deployment/JettyModuleBuilder.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/java/org/apache/geronimo/jetty6/deployment/JettyModuleBuilder.java?rev=610624&r1=610623&r2=610624&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/java/org/apache/geronimo/jetty6/deployment/JettyModuleBuilder.java (original)
+++ geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/java/org/apache/geronimo/jetty6/deployment/JettyModuleBuilder.java Wed Jan 9 17:03:50 2008
@@ -480,6 +480,11 @@
configureSecurityRealm(earContext, webApp, jettyWebApp, webModuleData, securityRoles, rolePermissions);
}
+ //See Jetty-386, GERONIMO-3738
+ if (jettyWebApp.getCompactPath()) {
+ webModuleData.setAttribute("compactPath", Boolean.TRUE);
+ }
+
//TODO this may definitely not be the best place for this!
for (ModuleBuilderExtension mbe : moduleBuilderExtensions) {
mbe.addGBeans(earContext, module, cl, repository);
Copied: geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-2.0.2.xsd (from r610611, geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-2.0.1.xsd)
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-2.0.2.xsd?p2=geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-2.0.2.xsd&p1=geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-2.0.1.xsd&r1=610611&r2=610624&rev=610624&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-2.0.1.xsd (original)
+++ geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-2.0.2.xsd Wed Jan 9 17:03:50 2008
@@ -18,8 +18,8 @@
<!-- $Rev$ $Date$ -->
-<xs:schema xmlns:web="http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0.1"
- targetNamespace="http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0.1"
+<xs:schema xmlns:web="http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0.2"
+ targetNamespace="http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0.2"
xmlns:naming="http://geronimo.apache.org/xml/ns/naming-1.2"
xmlns:sys="http://geronimo.apache.org/xml/ns/deployment-1.2"
xmlns:app="http://geronimo.apache.org/xml/ns/j2ee/application-2.0"
@@ -180,7 +180,16 @@
</xs:documentation>
</xs:annotation>
</xs:element>
-
+ <xs:element name="compact-path" type="xs:boolean" minOccurs="0">
+ <xs:annotation>
+ <xs:documentation>
+ See Jetty-386. Setting this to true makes paths like http://localhost:8080/test//favicon.ico
+ act the same as http://localhost:8080/test/favicon.ico. Setting this to true is likely to result
+ in a security vulnerability such as exposing static content in WEB-INF and behind security constraints.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+
<xs:group ref="naming:jndiEnvironmentRefsGroup">
<xs:annotation>
<xs:documentation>
Propchange: geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-2.0.2.xsd
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-2.0.2.xsd
------------------------------------------------------------------------------
svn:keywords = Date Author Id Revision HeadURL
Propchange: geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-2.0.2.xsd
------------------------------------------------------------------------------
svn:mime-type = text/xml
Copied: geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-config-1.0.1.xsd (from r610611, geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-config-1.0.xsd)
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-config-1.0.1.xsd?p2=geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-config-1.0.1.xsd&p1=geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-config-1.0.xsd&r1=610611&r2=610624&rev=610624&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-config-1.0.xsd (original)
+++ geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-config-1.0.1.xsd Wed Jan 9 17:03:50 2008
@@ -16,8 +16,8 @@
limitations under the License.
-->
-<xs:schema xmlns:jetty="http://geronimo.apache.org/xml/ns/web/jetty/config-1.0"
- targetNamespace="http://geronimo.apache.org/xml/ns/web/jetty/config-1.0"
+<xs:schema xmlns:jetty="http://geronimo.apache.org/xml/ns/web/jetty/config-1.0.1"
+ targetNamespace="http://geronimo.apache.org/xml/ns/web/jetty/config-1.0.1"
xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
attributeFormDefault="unqualified" version="1.0">
@@ -31,7 +31,7 @@
specified as
xmlns="http://geronimo.apache.org/xml/ns/j2ee/jetty-config-1.0". The
default location for this document is
- http://geronimo.apache.org/schemas-1.2/geronimo-jetty-config-1.0.xsd
+ http://geronimo.apache.org/schemas-1.2/geronimo-jetty-config-1.0.1.xsd
</xs:documentation>
</xs:annotation>
<xs:element name="jetty" type="jetty:jetty-configType">
@@ -72,6 +72,15 @@
name of the clustering implementation
(org.codehaus.wadi.jetty5.JettyManager) used by this web
application.
+ </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+ <xs:element name="compact-path" type="xs:boolean" minOccurs="0">
+ <xs:annotation>
+ <xs:documentation>
+ See Jetty-386. Setting this to true makes paths like http://localhost:8080/test//favicon.ico
+ act the same as http://localhost:8080/test/favicon.ico. Setting this to true is likely to result
+ in a security vulnerability such as exposing static content in WEB-INF and behind security constraints.
</xs:documentation>
</xs:annotation>
</xs:element>
Propchange: geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-config-1.0.1.xsd
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-config-1.0.1.xsd
------------------------------------------------------------------------------
svn:keywords = Date Author Id Revision HeadURL
Propchange: geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsd/geronimo-jetty-config-1.0.1.xsd
------------------------------------------------------------------------------
svn:mime-type = text/xml
Modified: geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsdconfig/xmlconfig.xml
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsdconfig/xmlconfig.xml?rev=610624&r1=610623&r2=610624&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsdconfig/xmlconfig.xml (original)
+++ geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/main/xsdconfig/xmlconfig.xml Wed Jan 9 17:03:50 2008
@@ -18,11 +18,11 @@
-->
<!-- @version $Rev$ $Date$ -->
<xb:config xmlns:xb="http://www.bea.com/2002/09/xbean/config">
- <xb:namespace uri="http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0.1">
+ <xb:namespace uri="http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0.2">
<xb:package>org.apache.geronimo.xbeans.geronimo.web.jetty</xb:package>
<xb:prefix>Jetty</xb:prefix>
</xb:namespace>
- <xb:namespace uri="http://geronimo.apache.org/xml/ns/web/jetty/config-1.0">
+ <xb:namespace uri="http://geronimo.apache.org/xml/ns/web/jetty/config-1.0.1">
<xb:package>org.apache.geronimo.xbeans.geronimo.web.jetty.config</xb:package>
<xb:prefix>Ger</xb:prefix>
</xb:namespace>
Modified: geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/test/resources/plans/plan4-converted.xml
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/test/resources/plans/plan4-converted.xml?rev=610624&r1=610623&r2=610624&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/test/resources/plans/plan4-converted.xml (original)
+++ geronimo/server/trunk/plugins/jetty/geronimo-jetty6-builder/src/test/resources/plans/plan4-converted.xml Wed Jan 9 17:03:50 2008
@@ -15,7 +15,7 @@
See the License for the specific language governing permissions and
limitations under the License.
-->
-<web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0.1"
+<web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0.2"
xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2">
<dep:environment>
Modified: geronimo/server/trunk/plugins/jetty/geronimo-jetty6/src/main/java/org/apache/geronimo/jetty6/JettyWebAppContext.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/jetty/geronimo-jetty6/src/main/java/org/apache/geronimo/jetty6/JettyWebAppContext.java?rev=610624&r1=610623&r2=610624&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/jetty/geronimo-jetty6/src/main/java/org/apache/geronimo/jetty6/JettyWebAppContext.java (original)
+++ geronimo/server/trunk/plugins/jetty/geronimo-jetty6/src/main/java/org/apache/geronimo/jetty6/JettyWebAppContext.java Wed Jan 9 17:03:50 2008
@@ -117,6 +117,8 @@
Authenticator authenticator,
String realmName,
Map<String, String> tagLibMap,
+ boolean compactPath,
+
int sessionTimeoutSeconds,
SessionHandlerFactory handlerFactory,
PreHandlerFactory preHandlerFactory,
@@ -169,6 +171,8 @@
ServletHandler servletHandler = new ServletHandler();
webAppContext = new TwistyWebAppContext(securityHandler, sessionHandler, servletHandler, null);
+ //See Jetty-386. Setting this to true can expose secured content.
+ webAppContext.setCompactPath(compactPath);
//wrap the web app context with the jndi handler
GeronimoUserTransaction userTransaction = new GeronimoUserTransaction(transactionManager);
@@ -559,6 +563,7 @@
infoBuilder.addAttribute("applicationManagedSecurityResources", Set.class, true);
infoBuilder.addAttribute("contextPath", String.class, true);
+ infoBuilder.addAttribute("compactPath", boolean.class, true);
infoBuilder.addAttribute("workDir", String.class, true);
infoBuilder.addReference("Host", Host.class, "Host");
@@ -606,6 +611,7 @@
"authenticator",
"realmName",
"tagLibMap",
+ "compactPath",
GBEAN_ATTR_SESSION_TIMEOUT,
GBEAN_REF_SESSION_HANDLER_FACTORY,
GBEAN_REF_PRE_HANDLER_FACTORY,
Modified: geronimo/server/trunk/plugins/jetty/geronimo-jetty6/src/test/java/org/apache/geronimo/jetty6/AbstractWebModuleTest.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/jetty/geronimo-jetty6/src/test/java/org/apache/geronimo/jetty6/AbstractWebModuleTest.java?rev=610624&r1=610623&r2=610624&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/jetty/geronimo-jetty6/src/test/java/org/apache/geronimo/jetty6/AbstractWebModuleTest.java (original)
+++ geronimo/server/trunk/plugins/jetty/geronimo-jetty6/src/test/java/org/apache/geronimo/jetty6/AbstractWebModuleTest.java Wed Jan 9 17:03:50 2008
@@ -106,6 +106,7 @@
authenticator,
realmName,
null,
+ false,
0,
sessionHandlerFactory,
preHandlerFactory,