You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomee.apache.org by Romain Manni-Bucau <rm...@gmail.com> on 2014/09/18 20:48:49 UTC

JAXRS: fixing the security issue on 1.7

Hi guys

anyone with time to review my last days hacking to fix our jaxrs
issue? idea is to replace jaxrs servlet by a filter coming at the end
of the chain (to still be able to do security etc ;)). This way if the
resource exists we just delegate to the servlet handling it (jsp...).

What needs to be done: review what I did didn't introduce a regression
I could have missed

open point: in org.apache.tomee.webservices.CXFJAXRSFilter#doFilter we
can desire add few "rule" to say "that's a resource urls (thought to
suffix like .css, .js...)" and in this case forget about JAXRS. That
said not sure it would be used that much so I didn't want to add it
*now*.

Once sby validated it is ok then I'll backport it on 1.7 branch




Romain Manni-Bucau
Twitter: @rmannibucau
Blog: http://rmannibucau.wordpress.com/
LinkedIn: http://fr.linkedin.com/in/rmannibucau
Github: https://github.com/rmannibucau

Re: JAXRS: fixing the security issue on 1.7

Posted by Romain Manni-Bucau <rm...@gmail.com>.

great,thanks for the feedback


Romain Manni-Bucau
Twitter: @rmannibucau
Blog: http://rmannibucau.wordpress.com/
LinkedIn: http://fr.linkedin.com/in/rmannibucau
Github: https://github.com/rmannibucau


2014-09-26 18:28 GMT+02:00 Bjorn Danielsson <bj...@lists.cuspycode.com>:
> OK, I have now tested my webapp with trunk from this morning.
> All my filters and servlets and JAX-RS stuff and request-
> forwarding worked as expected, except that I had to change
> my @Path-annotated POJO into an @ApplicationPath-annotated
> subclass of javax.ws.rs.core.Application, otherwise a special
> legacy servlet (a third-party WebDAV servlet) couldn't be invoked.
> I realized that this was a bug on my part, and after making the
> change all is good.
>
> --
> Bjorn Danielsson
> Cuspy Code AB
>
>
> Romain Manni-Bucau <rm...@gmail.com> wrote:
>> if you have foo.jsp in the webapp root and foo.jsp contains any
>> sensitive information (password but also just some algorithm used for
>> security or headers...) then the raw jsp will be exposed to the client
>> (not interpreted)
>>
>>
>> Romain Manni-Bucau
>> Twitter: @rmannibucau
>> Blog: http://rmannibucau.wordpress.com/
>> LinkedIn: http://fr.linkedin.com/in/rmannibucau
>> Github: https://github.com/rmannibucau
>>
>>
>> 2014-09-18 21:25 GMT+02:00 Bjorn Danielsson <bj...@lists.cuspycode.com>:
>>> Romain, could you please remind me what this security issue is?
>>>
>>> I am mixing jaxrs POJOs with servlet filters doing authorization,
>>> and doing forwards to jsp and other resources in the middle of
>>> everything, so I'll be happy to test this (on trunk I assume).
>>>
>>> --
>>> Bjorn Danielsson
>>> Cuspy Code AB
>>>
>>>
>>> Romain Manni-Bucau <rm...@gmail.com> wrote:
>>>> Hi guys
>>>>
>>>> anyone with time to review my last days hacking to fix our jaxrs
>>>> issue? idea is to replace jaxrs servlet by a filter coming at the end
>>>> of the chain (to still be able to do security etc ;)). This way if the
>>>> resource exists we just delegate to the servlet handling it (jsp...).
>>>>
>>>> What needs to be done: review what I did didn't introduce a regression
>>>> I could have missed
>>>>
>>>> open point: in org.apache.tomee.webservices.CXFJAXRSFilter#doFilter we
>>>> can desire add few "rule" to say "that's a resource urls (thought to
>>>> suffix like .css, .js...)" and in this case forget about JAXRS. That
>>>> said not sure it would be used that much so I didn't want to add it
>>>> *now*.
>>>>
>>>> Once sby validated it is ok then I'll backport it on 1.7 branch
>>>>
>>>>
>>>>
>>>>
>>>> Romain Manni-Bucau
>>>> Twitter: @rmannibucau
>>>> Blog: http://rmannibucau.wordpress.com/
>>>> LinkedIn: http://fr.linkedin.com/in/rmannibucau
>>>> Github: https://github.com/rmannibucau

Re: JAXRS: fixing the security issue on 1.7

Posted by Bjorn Danielsson <bj...@lists.cuspycode.com>.

OK, I have now tested my webapp with trunk from this morning.
All my filters and servlets and JAX-RS stuff and request-
forwarding worked as expected, except that I had to change
my @Path-annotated POJO into an @ApplicationPath-annotated
subclass of javax.ws.rs.core.Application, otherwise a special
legacy servlet (a third-party WebDAV servlet) couldn't be invoked.
I realized that this was a bug on my part, and after making the
change all is good.

-- 
Bjorn Danielsson
Cuspy Code AB


Romain Manni-Bucau <rm...@gmail.com> wrote:
> if you have foo.jsp in the webapp root and foo.jsp contains any
> sensitive information (password but also just some algorithm used for
> security or headers...) then the raw jsp will be exposed to the client
> (not interpreted)
>
>
> Romain Manni-Bucau
> Twitter: @rmannibucau
> Blog: http://rmannibucau.wordpress.com/
> LinkedIn: http://fr.linkedin.com/in/rmannibucau
> Github: https://github.com/rmannibucau
>
>
> 2014-09-18 21:25 GMT+02:00 Bjorn Danielsson <bj...@lists.cuspycode.com>:
>> Romain, could you please remind me what this security issue is?
>>
>> I am mixing jaxrs POJOs with servlet filters doing authorization,
>> and doing forwards to jsp and other resources in the middle of
>> everything, so I'll be happy to test this (on trunk I assume).
>>
>> --
>> Bjorn Danielsson
>> Cuspy Code AB
>>
>>
>> Romain Manni-Bucau <rm...@gmail.com> wrote:
>>> Hi guys
>>>
>>> anyone with time to review my last days hacking to fix our jaxrs
>>> issue? idea is to replace jaxrs servlet by a filter coming at the end
>>> of the chain (to still be able to do security etc ;)). This way if the
>>> resource exists we just delegate to the servlet handling it (jsp...).
>>>
>>> What needs to be done: review what I did didn't introduce a regression
>>> I could have missed
>>>
>>> open point: in org.apache.tomee.webservices.CXFJAXRSFilter#doFilter we
>>> can desire add few "rule" to say "that's a resource urls (thought to
>>> suffix like .css, .js...)" and in this case forget about JAXRS. That
>>> said not sure it would be used that much so I didn't want to add it
>>> *now*.
>>>
>>> Once sby validated it is ok then I'll backport it on 1.7 branch
>>>
>>>
>>>
>>>
>>> Romain Manni-Bucau
>>> Twitter: @rmannibucau
>>> Blog: http://rmannibucau.wordpress.com/
>>> LinkedIn: http://fr.linkedin.com/in/rmannibucau
>>> Github: https://github.com/rmannibucau

Re: JAXRS: fixing the security issue on 1.7

Posted by Romain Manni-Bucau <rm...@gmail.com>.

if you have foo.jsp in the webapp root and foo.jsp contains any
sensitive information (password but also just some algorithm used for
security or headers...) then the raw jsp will be exposed to the client
(not interpreted)


Romain Manni-Bucau
Twitter: @rmannibucau
Blog: http://rmannibucau.wordpress.com/
LinkedIn: http://fr.linkedin.com/in/rmannibucau
Github: https://github.com/rmannibucau


2014-09-18 21:25 GMT+02:00 Bjorn Danielsson <bj...@lists.cuspycode.com>:
> Romain, could you please remind me what this security issue is?
>
> I am mixing jaxrs POJOs with servlet filters doing authorization,
> and doing forwards to jsp and other resources in the middle of
> everything, so I'll be happy to test this (on trunk I assume).
>
> --
> Bjorn Danielsson
> Cuspy Code AB
>
>
> Romain Manni-Bucau <rm...@gmail.com> wrote:
>> Hi guys
>>
>> anyone with time to review my last days hacking to fix our jaxrs
>> issue? idea is to replace jaxrs servlet by a filter coming at the end
>> of the chain (to still be able to do security etc ;)). This way if the
>> resource exists we just delegate to the servlet handling it (jsp...).
>>
>> What needs to be done: review what I did didn't introduce a regression
>> I could have missed
>>
>> open point: in org.apache.tomee.webservices.CXFJAXRSFilter#doFilter we
>> can desire add few "rule" to say "that's a resource urls (thought to
>> suffix like .css, .js...)" and in this case forget about JAXRS. That
>> said not sure it would be used that much so I didn't want to add it
>> *now*.
>>
>> Once sby validated it is ok then I'll backport it on 1.7 branch
>>
>>
>>
>>
>> Romain Manni-Bucau
>> Twitter: @rmannibucau
>> Blog: http://rmannibucau.wordpress.com/
>> LinkedIn: http://fr.linkedin.com/in/rmannibucau
>> Github: https://github.com/rmannibucau

Re: JAXRS: fixing the security issue on 1.7

Posted by Bjorn Danielsson <bj...@lists.cuspycode.com>.

Romain, could you please remind me what this security issue is?

I am mixing jaxrs POJOs with servlet filters doing authorization,
and doing forwards to jsp and other resources in the middle of
everything, so I'll be happy to test this (on trunk I assume).

-- 
Bjorn Danielsson
Cuspy Code AB


Romain Manni-Bucau <rm...@gmail.com> wrote:
> Hi guys
>
> anyone with time to review my last days hacking to fix our jaxrs
> issue? idea is to replace jaxrs servlet by a filter coming at the end
> of the chain (to still be able to do security etc ;)). This way if the
> resource exists we just delegate to the servlet handling it (jsp...).
>
> What needs to be done: review what I did didn't introduce a regression
> I could have missed
>
> open point: in org.apache.tomee.webservices.CXFJAXRSFilter#doFilter we
> can desire add few "rule" to say "that's a resource urls (thought to
> suffix like .css, .js...)" and in this case forget about JAXRS. That
> said not sure it would be used that much so I didn't want to add it
> *now*.
>
> Once sby validated it is ok then I'll backport it on 1.7 branch
>
>
>
>
> Romain Manni-Bucau
> Twitter: @rmannibucau
> Blog: http://rmannibucau.wordpress.com/
> LinkedIn: http://fr.linkedin.com/in/rmannibucau
> Github: https://github.com/rmannibucau