JAXRS: fixing the security issue on 1.7

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

JAXRS: fixing the security issue on 1.7

Romain Manni-Bucau
Hi guys

anyone with time to review my last days hacking to fix our jaxrs
issue? idea is to replace jaxrs servlet by a filter coming at the end
of the chain (to still be able to do security etc ;)). This way if the
resource exists we just delegate to the servlet handling it (jsp...).

What needs to be done: review what I did didn't introduce a regression
I could have missed

open point: in org.apache.tomee.webservices.CXFJAXRSFilter#doFilter we
can desire add few "rule" to say "that's a resource urls (thought to
suffix like .css, .js...)" and in this case forget about JAXRS. That
said not sure it would be used that much so I didn't want to add it
*now*.

Once sby validated it is ok then I'll backport it on 1.7 branch




Romain Manni-Bucau
Twitter: @rmannibucau
Blog: http://rmannibucau.wordpress.com/
LinkedIn: http://fr.linkedin.com/in/rmannibucau
Github: https://github.com/rmannibucau
Reply | Threaded
Open this post in threaded view
|

Re: JAXRS: fixing the security issue on 1.7

Bjorn Danielsson
Romain, could you please remind me what this security issue is?

I am mixing jaxrs POJOs with servlet filters doing authorization,
and doing forwards to jsp and other resources in the middle of
everything, so I'll be happy to test this (on trunk I assume).

--
Bjorn Danielsson
Cuspy Code AB


Romain Manni-Bucau <[hidden email]> wrote:

> Hi guys
>
> anyone with time to review my last days hacking to fix our jaxrs
> issue? idea is to replace jaxrs servlet by a filter coming at the end
> of the chain (to still be able to do security etc ;)). This way if the
> resource exists we just delegate to the servlet handling it (jsp...).
>
> What needs to be done: review what I did didn't introduce a regression
> I could have missed
>
> open point: in org.apache.tomee.webservices.CXFJAXRSFilter#doFilter we
> can desire add few "rule" to say "that's a resource urls (thought to
> suffix like .css, .js...)" and in this case forget about JAXRS. That
> said not sure it would be used that much so I didn't want to add it
> *now*.
>
> Once sby validated it is ok then I'll backport it on 1.7 branch
>
>
>
>
> Romain Manni-Bucau
> Twitter: @rmannibucau
> Blog: http://rmannibucau.wordpress.com/
> LinkedIn: http://fr.linkedin.com/in/rmannibucau
> Github: https://github.com/rmannibucau
Reply | Threaded
Open this post in threaded view
|

Re: JAXRS: fixing the security issue on 1.7

Romain Manni-Bucau
if you have foo.jsp in the webapp root and foo.jsp contains any
sensitive information (password but also just some algorithm used for
security or headers...) then the raw jsp will be exposed to the client
(not interpreted)


Romain Manni-Bucau
Twitter: @rmannibucau
Blog: http://rmannibucau.wordpress.com/
LinkedIn: http://fr.linkedin.com/in/rmannibucau
Github: https://github.com/rmannibucau


2014-09-18 21:25 GMT+02:00 Bjorn Danielsson <[hidden email]>:

> Romain, could you please remind me what this security issue is?
>
> I am mixing jaxrs POJOs with servlet filters doing authorization,
> and doing forwards to jsp and other resources in the middle of
> everything, so I'll be happy to test this (on trunk I assume).
>
> --
> Bjorn Danielsson
> Cuspy Code AB
>
>
> Romain Manni-Bucau <[hidden email]> wrote:
>> Hi guys
>>
>> anyone with time to review my last days hacking to fix our jaxrs
>> issue? idea is to replace jaxrs servlet by a filter coming at the end
>> of the chain (to still be able to do security etc ;)). This way if the
>> resource exists we just delegate to the servlet handling it (jsp...).
>>
>> What needs to be done: review what I did didn't introduce a regression
>> I could have missed
>>
>> open point: in org.apache.tomee.webservices.CXFJAXRSFilter#doFilter we
>> can desire add few "rule" to say "that's a resource urls (thought to
>> suffix like .css, .js...)" and in this case forget about JAXRS. That
>> said not sure it would be used that much so I didn't want to add it
>> *now*.
>>
>> Once sby validated it is ok then I'll backport it on 1.7 branch
>>
>>
>>
>>
>> Romain Manni-Bucau
>> Twitter: @rmannibucau
>> Blog: http://rmannibucau.wordpress.com/
>> LinkedIn: http://fr.linkedin.com/in/rmannibucau
>> Github: https://github.com/rmannibucau
Reply | Threaded
Open this post in threaded view
|

Re: JAXRS: fixing the security issue on 1.7

Bjorn Danielsson
OK, I have now tested my webapp with trunk from this morning.
All my filters and servlets and JAX-RS stuff and request-
forwarding worked as expected, except that I had to change
my @Path-annotated POJO into an @ApplicationPath-annotated
subclass of javax.ws.rs.core.Application, otherwise a special
legacy servlet (a third-party WebDAV servlet) couldn't be invoked.
I realized that this was a bug on my part, and after making the
change all is good.

--
Bjorn Danielsson
Cuspy Code AB


Romain Manni-Bucau <[hidden email]> wrote:

> if you have foo.jsp in the webapp root and foo.jsp contains any
> sensitive information (password but also just some algorithm used for
> security or headers...) then the raw jsp will be exposed to the client
> (not interpreted)
>
>
> Romain Manni-Bucau
> Twitter: @rmannibucau
> Blog: http://rmannibucau.wordpress.com/
> LinkedIn: http://fr.linkedin.com/in/rmannibucau
> Github: https://github.com/rmannibucau
>
>
> 2014-09-18 21:25 GMT+02:00 Bjorn Danielsson <[hidden email]>:
>> Romain, could you please remind me what this security issue is?
>>
>> I am mixing jaxrs POJOs with servlet filters doing authorization,
>> and doing forwards to jsp and other resources in the middle of
>> everything, so I'll be happy to test this (on trunk I assume).
>>
>> --
>> Bjorn Danielsson
>> Cuspy Code AB
>>
>>
>> Romain Manni-Bucau <[hidden email]> wrote:
>>> Hi guys
>>>
>>> anyone with time to review my last days hacking to fix our jaxrs
>>> issue? idea is to replace jaxrs servlet by a filter coming at the end
>>> of the chain (to still be able to do security etc ;)). This way if the
>>> resource exists we just delegate to the servlet handling it (jsp...).
>>>
>>> What needs to be done: review what I did didn't introduce a regression
>>> I could have missed
>>>
>>> open point: in org.apache.tomee.webservices.CXFJAXRSFilter#doFilter we
>>> can desire add few "rule" to say "that's a resource urls (thought to
>>> suffix like .css, .js...)" and in this case forget about JAXRS. That
>>> said not sure it would be used that much so I didn't want to add it
>>> *now*.
>>>
>>> Once sby validated it is ok then I'll backport it on 1.7 branch
>>>
>>>
>>>
>>>
>>> Romain Manni-Bucau
>>> Twitter: @rmannibucau
>>> Blog: http://rmannibucau.wordpress.com/
>>> LinkedIn: http://fr.linkedin.com/in/rmannibucau
>>> Github: https://github.com/rmannibucau
Reply | Threaded
Open this post in threaded view
|

Re: JAXRS: fixing the security issue on 1.7

Romain Manni-Bucau
great,thanks for the feedback


Romain Manni-Bucau
Twitter: @rmannibucau
Blog: http://rmannibucau.wordpress.com/
LinkedIn: http://fr.linkedin.com/in/rmannibucau
Github: https://github.com/rmannibucau


2014-09-26 18:28 GMT+02:00 Bjorn Danielsson <[hidden email]>:

> OK, I have now tested my webapp with trunk from this morning.
> All my filters and servlets and JAX-RS stuff and request-
> forwarding worked as expected, except that I had to change
> my @Path-annotated POJO into an @ApplicationPath-annotated
> subclass of javax.ws.rs.core.Application, otherwise a special
> legacy servlet (a third-party WebDAV servlet) couldn't be invoked.
> I realized that this was a bug on my part, and after making the
> change all is good.
>
> --
> Bjorn Danielsson
> Cuspy Code AB
>
>
> Romain Manni-Bucau <[hidden email]> wrote:
>> if you have foo.jsp in the webapp root and foo.jsp contains any
>> sensitive information (password but also just some algorithm used for
>> security or headers...) then the raw jsp will be exposed to the client
>> (not interpreted)
>>
>>
>> Romain Manni-Bucau
>> Twitter: @rmannibucau
>> Blog: http://rmannibucau.wordpress.com/
>> LinkedIn: http://fr.linkedin.com/in/rmannibucau
>> Github: https://github.com/rmannibucau
>>
>>
>> 2014-09-18 21:25 GMT+02:00 Bjorn Danielsson <[hidden email]>:
>>> Romain, could you please remind me what this security issue is?
>>>
>>> I am mixing jaxrs POJOs with servlet filters doing authorization,
>>> and doing forwards to jsp and other resources in the middle of
>>> everything, so I'll be happy to test this (on trunk I assume).
>>>
>>> --
>>> Bjorn Danielsson
>>> Cuspy Code AB
>>>
>>>
>>> Romain Manni-Bucau <[hidden email]> wrote:
>>>> Hi guys
>>>>
>>>> anyone with time to review my last days hacking to fix our jaxrs
>>>> issue? idea is to replace jaxrs servlet by a filter coming at the end
>>>> of the chain (to still be able to do security etc ;)). This way if the
>>>> resource exists we just delegate to the servlet handling it (jsp...).
>>>>
>>>> What needs to be done: review what I did didn't introduce a regression
>>>> I could have missed
>>>>
>>>> open point: in org.apache.tomee.webservices.CXFJAXRSFilter#doFilter we
>>>> can desire add few "rule" to say "that's a resource urls (thought to
>>>> suffix like .css, .js...)" and in this case forget about JAXRS. That
>>>> said not sure it would be used that much so I didn't want to add it
>>>> *now*.
>>>>
>>>> Once sby validated it is ok then I'll backport it on 1.7 branch
>>>>
>>>>
>>>>
>>>>
>>>> Romain Manni-Bucau
>>>> Twitter: @rmannibucau
>>>> Blog: http://rmannibucau.wordpress.com/
>>>> LinkedIn: http://fr.linkedin.com/in/rmannibucau
>>>> Github: https://github.com/rmannibucau