You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Les Hazlewood (JIRA)" <ji...@apache.org> on 2012/05/09 22:39:53 UTC
[jira] [Created] (SHIRO-360) Create UrlEncoder
Les Hazlewood created SHIRO-360:
-----------------------------------
Summary: Create UrlEncoder
Key: SHIRO-360
URL: https://issues.apache.org/jira/browse/SHIRO-360
Project: Shiro
Issue Type: New Feature
Components: Web
Reporter: Les Hazlewood
Fix For: 1.3.0
To customize how URL encoding in a web app occurs, we should have a UrlEncoder component. More specifically, this can be used to customize how JSESSIONID is appended to a URL (if at all, depending on security preferences).
The solution could be resolved as follows:
Create a new UrlEncoder interface:
public interface UrlEncoder {
String encodeUrl(EncodeUrlRequest request);
}
The EncodeUrlRequest:
public interface EncodeUrlRequest {
String getUrl();
HttpServletRequest getHttpServletRequest();
HttpServletResponse getHttpServletResponse();
ServletContext getServletContext();
}
Update WebEnvironment to have a new property:
UrlEncoder getUrlEncoder();
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
Re: [jira] [Created] (SHIRO-360) Create UrlEncoder
Posted by Jim Manico <ji...@owasp.org>.
This same encoding function is necessary when trying to stop some
classes of XSS defense.
<a href="http://www.somesite.com/data?test=<%= URL ENCODE UNTRUSTED DATA
%>">Link</a>
And of course, adding a session ID to a URL is a security vulnerability
known as session rewriting and is not recommended. :)
Aloha,
Jim
> Les Hazlewood created SHIRO-360:
> -----------------------------------
>
> Summary: Create UrlEncoder
> Key: SHIRO-360
> URL: https://issues.apache.org/jira/browse/SHIRO-360
> Project: Shiro
> Issue Type: New Feature
> Components: Web
> Reporter: Les Hazlewood
> Fix For: 1.3.0
>
>
> To customize how URL encoding in a web app occurs, we should have a UrlEncoder component. More specifically, this can be used to customize how JSESSIONID is appended to a URL (if at all, depending on security preferences).
>
> The solution could be resolved as follows:
>
> Create a new UrlEncoder interface:
>
> public interface UrlEncoder {
> String encodeUrl(EncodeUrlRequest request);
> }
>
> The EncodeUrlRequest:
>
> public interface EncodeUrlRequest {
> String getUrl();
> HttpServletRequest getHttpServletRequest();
> HttpServletResponse getHttpServletResponse();
> ServletContext getServletContext();
> }
>
> Update WebEnvironment to have a new property:
>
> UrlEncoder getUrlEncoder();
>
> --
> This message is automatically generated by JIRA.
> If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
> For more information on JIRA, see: http://www.atlassian.com/software/jira
>
>
--
Jim Manico
Connections Committee Chair
Cheatsheet Series Product Manager
OWASP Podcast Producer/Host
jim@owasp.org
www.owasp.org
[jira] [Commented] (SHIRO-360) Create UrlEncoder
Posted by "Jim Manico (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13271786#comment-13271786 ]
Jim Manico commented on SHIRO-360:
----------------------------------
This same encoding function is necessary when trying to stop some
classes of XSS defense.
<a href="http://www.somesite.com/data?test=<%= URL ENCODE UNTRUSTED DATA
%>">Link</a>
And of course, adding a session ID to a URL is a security vulnerability
known as session rewriting and is not recommended. :)
Aloha,
Jim
--
Jim Manico
Connections Committee Chair
Cheatsheet Series Product Manager
OWASP Podcast Producer/Host
jim@owasp.org
www.owasp.org
> Create UrlEncoder
> -----------------
>
> Key: SHIRO-360
> URL: https://issues.apache.org/jira/browse/SHIRO-360
> Project: Shiro
> Issue Type: New Feature
> Components: Web
> Reporter: Les Hazlewood
> Fix For: 1.3.0
>
>
> To customize how URL encoding in a web app occurs, we should have a UrlEncoder component. More specifically, this can be used to customize how JSESSIONID is appended to a URL (if at all, depending on security preferences).
> The solution could be resolved as follows:
> Create a new UrlEncoder interface:
> public interface UrlEncoder {
> String encodeUrl(EncodeUrlRequest request);
> }
> The EncodeUrlRequest:
> public interface EncodeUrlRequest {
> String getUrl();
> HttpServletRequest getHttpServletRequest();
> HttpServletResponse getHttpServletResponse();
> ServletContext getServletContext();
> }
> Update WebEnvironment to have a new property:
> UrlEncoder getUrlEncoder();
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SHIRO-360) Create UrlEncoder
Posted by "Jim Manico (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13271802#comment-13271802 ]
Jim Manico commented on SHIRO-360:
----------------------------------
Agreed on needing to support session re-writing. Would love to see a
security log event, JavaDoc or both warning against this practice. :)
Aloha folks,
Jim
--
Jim Manico
Connections Committee Chair
Cheatsheet Series Product Manager
OWASP Podcast Producer/Host
jim@owasp.org
www.owasp.org
> Create UrlEncoder
> -----------------
>
> Key: SHIRO-360
> URL: https://issues.apache.org/jira/browse/SHIRO-360
> Project: Shiro
> Issue Type: New Feature
> Components: Web
> Reporter: Les Hazlewood
> Fix For: 1.3.0
>
>
> To customize how URL encoding in a web app occurs, we should have a UrlEncoder component. More specifically, this can be used to customize how JSESSIONID is appended to a URL (if at all, depending on security preferences).
> The solution could be resolved as follows:
> Create a new UrlEncoder interface:
> public interface UrlEncoder {
> String encodeUrl(EncodeUrlRequest request);
> }
> The EncodeUrlRequest:
> public interface EncodeUrlRequest {
> String getUrl();
> HttpServletRequest getHttpServletRequest();
> HttpServletResponse getHttpServletResponse();
> ServletContext getServletContext();
> }
> Update WebEnvironment to have a new property:
> UrlEncoder getUrlEncoder();
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
Re: [jira] [Commented] (SHIRO-360) Create UrlEncoder
Posted by Jim Manico <ji...@owasp.org>.
Agreed on needing to support session re-writing. Would love to see a
security log event, JavaDoc or both warning against this practice. :)
Aloha folks,
Jim
> [ https://issues.apache.org/jira/browse/SHIRO-360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13271797#comment-13271797 ]
>
> Les Hazlewood commented on SHIRO-360:
> -------------------------------------
>
> Hi Jim,
>
> I totally agree - this is why I'd like it to be a customizable component where these things can be easily turned on/off instead of embedded in the ShiroHttpServletResponse implementation like it is today.
>
> However, because Shiro must adhere to the Servlet Specification, we have to support JSESSIONID appending - but we can still strongly recommend to people that they turn it off (or even likely turn it off by default). XSS defense was also on my mind when I thought about this too - hopefully we can kill a few birds with one stone here.
>
> Thanks for the feedback!!!
>
> Les
>
>> Create UrlEncoder
>> -----------------
>>
>> Key: SHIRO-360
>> URL: https://issues.apache.org/jira/browse/SHIRO-360
>> Project: Shiro
>> Issue Type: New Feature
>> Components: Web
>> Reporter: Les Hazlewood
>> Fix For: 1.3.0
>>
>>
>> To customize how URL encoding in a web app occurs, we should have a UrlEncoder component. More specifically, this can be used to customize how JSESSIONID is appended to a URL (if at all, depending on security preferences).
>> The solution could be resolved as follows:
>> Create a new UrlEncoder interface:
>> public interface UrlEncoder {
>> String encodeUrl(EncodeUrlRequest request);
>> }
>> The EncodeUrlRequest:
>> public interface EncodeUrlRequest {
>> String getUrl();
>> HttpServletRequest getHttpServletRequest();
>> HttpServletResponse getHttpServletResponse();
>> ServletContext getServletContext();
>> }
>> Update WebEnvironment to have a new property:
>> UrlEncoder getUrlEncoder();
> --
> This message is automatically generated by JIRA.
> If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
> For more information on JIRA, see: http://www.atlassian.com/software/jira
>
>
--
Jim Manico
Connections Committee Chair
Cheatsheet Series Product Manager
OWASP Podcast Producer/Host
jim@owasp.org
www.owasp.org
[jira] [Commented] (SHIRO-360) Create UrlEncoder
Posted by "Les Hazlewood (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHIRO-360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13271797#comment-13271797 ]
Les Hazlewood commented on SHIRO-360:
-------------------------------------
Hi Jim,
I totally agree - this is why I'd like it to be a customizable component where these things can be easily turned on/off instead of embedded in the ShiroHttpServletResponse implementation like it is today.
However, because Shiro must adhere to the Servlet Specification, we have to support JSESSIONID appending - but we can still strongly recommend to people that they turn it off (or even likely turn it off by default). XSS defense was also on my mind when I thought about this too - hopefully we can kill a few birds with one stone here.
Thanks for the feedback!!!
Les
> Create UrlEncoder
> -----------------
>
> Key: SHIRO-360
> URL: https://issues.apache.org/jira/browse/SHIRO-360
> Project: Shiro
> Issue Type: New Feature
> Components: Web
> Reporter: Les Hazlewood
> Fix For: 1.3.0
>
>
> To customize how URL encoding in a web app occurs, we should have a UrlEncoder component. More specifically, this can be used to customize how JSESSIONID is appended to a URL (if at all, depending on security preferences).
> The solution could be resolved as follows:
> Create a new UrlEncoder interface:
> public interface UrlEncoder {
> String encodeUrl(EncodeUrlRequest request);
> }
> The EncodeUrlRequest:
> public interface EncodeUrlRequest {
> String getUrl();
> HttpServletRequest getHttpServletRequest();
> HttpServletResponse getHttpServletResponse();
> ServletContext getServletContext();
> }
> Update WebEnvironment to have a new property:
> UrlEncoder getUrlEncoder();
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira