You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Timothée Maret <ti...@gmail.com> on 2013/05/13 12:08:41 UTC
Support allowed hosts patterns in ReferrerFilter
Hi,
The current "allow.hosts" setting of the ReferrerFilter can be configured
with a list of trusted hosts.
In a setup where the list of allowed hosts is expending as the application
runs, it becomes tricky to keep the configuration in sync.
As an example, a service which supports wilcard uris such as <userId>.
my.service.com would be required to modify the reference filter
configuration for each user which is hardly doable.
Thus, I would propose to support regex patterns for the list of
"allow.hosts". which would still be secure.
The example above would be configured as:
allow.hosts=*.my.service.com
wdyt ?
Regards,
Timothee.
Re: Support allowed hosts patterns in ReferrerFilter
Posted by Timothée Maret <ti...@gmail.com>.
Hi Carsten,
I have opened SLING-2870 and opened a pull request [0] with the patch.
One thing to note is that some "exotic" chars used in the java regex such
as '*' are valid uris chars [1], thus those should be escaped for backward
if the patch is applied.
Regards,
Timothee.
[0] https://github.com/apache/sling/pull/6
[1] http://www.ietf.org/rfc/rfc2396.txt
2013/5/13 Carsten Ziegeler <cz...@apache.org>
> Hi Timothée,
>
> Sounds reasonable, can you create a Jira issue and maybe provide a patch?
>
> Thanks
> Carsten
>
>
> 2013/5/13 Jeff Young <je...@adobe.com>
>
> > +1
> >
> > > -----Original Message-----
> > > From: maret.timothee@gmail.com [mailto:maret.timothee@gmail.com] On
> > Behalf Of
> > > Timothée Maret
> > > Sent: 13 May 2013 11:09
> > > To: dev@sling.apache.org
> > > Subject: Support allowed hosts patterns in ReferrerFilter
> > >
> > > Hi,
> > >
> > > The current "allow.hosts" setting of the ReferrerFilter can be
> configured
> > > with a list of trusted hosts.
> > > In a setup where the list of allowed hosts is expending as the
> > application
> > > runs, it becomes tricky to keep the configuration in sync.
> > > As an example, a service which supports wilcard uris such as <userId>.
> > > my.service.com would be required to modify the reference filter
> > > configuration for each user which is hardly doable.
> > >
> > > Thus, I would propose to support regex patterns for the list of
> > > "allow.hosts". which would still be secure.
> > >
> > > The example above would be configured as:
> > > allow.hosts=*.my.service.com
> > >
> > > wdyt ?
> > >
> > > Regards,
> > >
> > > Timothee.
> >
>
>
>
> --
> Carsten Ziegeler
> cziegeler@apache.org
>
--
Timothée Maret
Re: Support allowed hosts patterns in ReferrerFilter
Posted by Carsten Ziegeler <cz...@apache.org>.
Hi Timothée,
Sounds reasonable, can you create a Jira issue and maybe provide a patch?
Thanks
Carsten
2013/5/13 Jeff Young <je...@adobe.com>
> +1
>
> > -----Original Message-----
> > From: maret.timothee@gmail.com [mailto:maret.timothee@gmail.com] On
> Behalf Of
> > Timothée Maret
> > Sent: 13 May 2013 11:09
> > To: dev@sling.apache.org
> > Subject: Support allowed hosts patterns in ReferrerFilter
> >
> > Hi,
> >
> > The current "allow.hosts" setting of the ReferrerFilter can be configured
> > with a list of trusted hosts.
> > In a setup where the list of allowed hosts is expending as the
> application
> > runs, it becomes tricky to keep the configuration in sync.
> > As an example, a service which supports wilcard uris such as <userId>.
> > my.service.com would be required to modify the reference filter
> > configuration for each user which is hardly doable.
> >
> > Thus, I would propose to support regex patterns for the list of
> > "allow.hosts". which would still be secure.
> >
> > The example above would be configured as:
> > allow.hosts=*.my.service.com
> >
> > wdyt ?
> >
> > Regards,
> >
> > Timothee.
>
--
Carsten Ziegeler
cziegeler@apache.org
RE: Support allowed hosts patterns in ReferrerFilter
Posted by Jeff Young <je...@adobe.com>.
+1
> -----Original Message-----
> From: maret.timothee@gmail.com [mailto:maret.timothee@gmail.com] On Behalf Of
> Timothée Maret
> Sent: 13 May 2013 11:09
> To: dev@sling.apache.org
> Subject: Support allowed hosts patterns in ReferrerFilter
>
> Hi,
>
> The current "allow.hosts" setting of the ReferrerFilter can be configured
> with a list of trusted hosts.
> In a setup where the list of allowed hosts is expending as the application
> runs, it becomes tricky to keep the configuration in sync.
> As an example, a service which supports wilcard uris such as <userId>.
> my.service.com would be required to modify the reference filter
> configuration for each user which is hardly doable.
>
> Thus, I would propose to support regex patterns for the list of
> "allow.hosts". which would still be secure.
>
> The example above would be configured as:
> allow.hosts=*.my.service.com
>
> wdyt ?
>
> Regards,
>
> Timothee.