You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by P....@albourne.com on 2009/09/04 15:27:21 UTC

Re: Security issue with access control documentation in Wiki

This is an issue that has appeared many times on this list, you should search for old posts on this, the gist of it is these examples were provided before newer functionality (such as ComponentClassResolver and ComponentSource etc..) were added to Tapestry that can handle this problem better. 

Kind regards,
Peter


----- Original Message -----
From: "Sebastian HennebrŸüder" <he...@laliluna.de>
To: "Tapestry users" <us...@tapestry.apache.org>
Sent: Tuesday, 25 August, 2009 17:25:42 GMT +02:00 Athens, Beirut, Bucharest, Istanbul
Subject: Security issue with access control documentation in Wiki

Hello,

the examples in the Wiki uses either a request filter or a request 
dispatcher. Both solutions extract the page name in order to check if 
there are any restrictions. This code orginally comes from the 
PageRenderDispatcher.

String pageName;
        String path = request.getPath();
        int nextslashx = path.length();

        while (true) {
            pageName = path.substring(1, nextslashx);
            if (!pageName.endsWith("/") && 
componentClassResolver.isPageName(pageName))
                break;
            nextslashx = path.lastIndexOf('/', nextslashx - 1);
            if (nextslashx <= 1) {
                pageName = null;
                break;
            }

        }
        return pageName;


The issue with this approach is that Component events are not validated. 
If I submit a form, the complete form processing can happen without any 
security validation.
the submit sends a URL like mypage.myform.form This kind of URL is not 
resolved to a page and as a consequence no validaton takes place.

A correct implementation needs to implement the page name extraction as 
done in ComponentEventLinkEncoderImpl.decodeComponentEventRequest and as 
in the decodePageRenderRequest method of the same class.
In addition a Dispatcher implementation needs to take care that it is 
called before the ComponentDispatcher.

The following documentation is affected
http://wiki.apache.org/tapestry/Tapestry5HowToCreateADispatcher
http://wiki.apache.org/tapestry/Tapestry5HowToCreateADispatcher2
http://wiki.apache.org/tapestry/Tapestry5HowToControlAccess

I haven't checked the Acegi Integration howtos.

Can someone please validate this? I think we need to provide either a 
service to decode page names or at least show how to do it properly.

-- 
Best Regards / Viele Grüße

Sebastian Hennebrueder

-----
http://www.laliluna.de
Laliluna.de, Berliner Strasse 22, 61118 Bad Vilbel, Germany

* Java Software Development, Support
* Training for Hibernate, EJB3 and Spring
* Tutorials for JSP, JavaServer Faces, Struts, Hibernate and EJB



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org