shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Manico <jim.man...@owasp.org>
Subject Re: [jira] [Commented] (SHIRO-360) Create UrlEncoder
Date Wed, 09 May 2012 20:51:08 GMT
Agreed on needing to support session re-writing. Would love to see a
security log event, JavaDoc or both warning against this practice. :)

Aloha folks,
Jim

>     [ https://issues.apache.org/jira/browse/SHIRO-360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13271797#comment-13271797
] 
>
> Les Hazlewood commented on SHIRO-360:
> -------------------------------------
>
> Hi Jim,
>
> I totally agree - this is why I'd like it to be a customizable component where these
things can be easily turned on/off instead of embedded in the ShiroHttpServletResponse implementation
like it is today.  
>
> However, because Shiro must adhere to the Servlet Specification, we have to support JSESSIONID
appending - but we can still strongly recommend to people that they turn it off (or even likely
turn it off by default).  XSS defense was also on my mind when I thought about this too -
hopefully we can kill a few birds with one stone here.
>
> Thanks for the feedback!!!
>
> Les
>                 
>> Create UrlEncoder
>> -----------------
>>
>>                 Key: SHIRO-360
>>                 URL: https://issues.apache.org/jira/browse/SHIRO-360
>>             Project: Shiro
>>          Issue Type: New Feature
>>          Components: Web
>>            Reporter: Les Hazlewood
>>             Fix For: 1.3.0
>>
>>
>> To customize how URL encoding in a web app occurs, we should have a UrlEncoder component.
 More specifically, this can be used to customize how JSESSIONID is appended to a URL (if
at all, depending on security preferences).
>> The solution could be resolved as follows:
>> Create a new UrlEncoder interface:
>> public interface UrlEncoder {
>>     String encodeUrl(EncodeUrlRequest request);
>> }
>> The EncodeUrlRequest:
>> public interface EncodeUrlRequest {
>>     String getUrl();
>>     HttpServletRequest getHttpServletRequest();
>>     HttpServletResponse getHttpServletResponse();
>>     ServletContext getServletContext();
>> }
>> Update WebEnvironment to have a new property:
>> UrlEncoder getUrlEncoder();
> --
> This message is automatically generated by JIRA.
> If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
> For more information on JIRA, see: http://www.atlassian.com/software/jira
>
>         


-- 
Jim Manico

Connections Committee Chair
Cheatsheet Series Product Manager
OWASP Podcast Producer/Host

jim@owasp.org
www.owasp.org

Mime
View raw message