shale-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig McClanahan (JIRA)" <j...@apache.org>
Subject [jira] Commented: (SHALE-344) Remoting does not provide configurable limiting of exposed resources
Date Thu, 30 Nov 2006 22:59:57 GMT
    [ http://issues.apache.org/struts/browse/SHALE-344?page=comments#action_38925 ] 
            
Craig McClanahan commented on SHALE-344:
----------------------------------------

I've checked in code that makes it possible to filter what resource ids a particular processor
will provide (excluded resources return a 404 to provide no information on whether a resource
id is nonexistent, or whether it exists but access is being denied).  The "out of the box"
configuration for classpath resources and webapp resources now prevents access to things like
"*.properties".

Still need to add documentation to the website for configuring these restrictions, and to
decide what defaults should be defined for the "dynamic" processor that maps resource ids
to a public method on a managed bean.

The new code will be available in the 20061201 nightly build, and in the 1.0.4 release when
it occurs.


> Remoting does not provide configurable limiting of exposed resources
> --------------------------------------------------------------------
>
>                 Key: SHALE-344
>                 URL: http://issues.apache.org/struts/browse/SHALE-344
>             Project: Shale
>          Issue Type: Bug
>          Components: Remoting
>            Reporter: Craig McClanahan
>         Assigned To: Craig McClanahan
>
> Shale Remoting's current Processor implementations provide limited hard coded limitations
on what resources may be accessed (cannot download classpath resources named "*.class", cannot
download webapp resources named "/WEB-INF/*"), but they need to provide configurable settings
for more fine grain control.  In addition, reasonably secure defaults should be provided.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/struts/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message