You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Timothee Maret (JIRA)" <ji...@apache.org> on 2013/05/13 21:21:16 UTC

[jira] [Created] (SLING-2870) Support allowed hosts patterns in ReferrerFilter

Timothee Maret created SLING-2870:
-------------------------------------

             Summary: Support allowed hosts patterns in ReferrerFilter
                 Key: SLING-2870
                 URL: https://issues.apache.org/jira/browse/SLING-2870
             Project: Sling
          Issue Type: Improvement
          Components: Extensions
    Affects Versions: Security 1.0.2
            Reporter: Timothee Maret


The current "allow.hosts" setting of the ReferrerFilter can be configured with a list of trusted hosts.
In a setup where the list of allowed hosts is expending as the application runs, it becomes tricky to keep the configuration in sync.
As an example, a service which supports wilcard uris such as 
{noformat}
<userId>.my.service.com
{noformat}
would be required to modify the reference filter configuration for each user which is hardly doable.

Thus, I would propose to support regex patterns for the list of "allow.hosts". which would still be secure.

The example above would be configured as:
{noformat}
allow.hosts=*.my.service.com
{noformat}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira