Indeed there is a security hole and IIRC we have discussed about this earlier as well. However web app developers will needs to access registry to so my suggestion is just to expose the user registry. We can have a security check for system registries and we can secure using java security. WDYT?
Thanks & Regards Danushka Fernando Software Engineer WSO2 inc. http://wso2.com/ Mobile : +94716332729 On Tue, Jan 13, 2015 at 5:45 PM, Dimuthu Leelarathne <[email protected]> wrote: > Hi all, > > Disable giving System governance and System Config registries via > CarbonContext to App Developers. Why do we need to give Registry to app > developers? > > - To be used as a repository. So simply give an empty repository. It could > be backed by a DB, or persistent cache. > > > Why is it more important now? > > > This is opening up a security hole and specially after unified governance > story. The problem is right now (in the Cloud) AF has secured tampering > System governance registry by putting handlers/permissions. But in future > data are not stored in specific paths and we won't be able to protect > pre-defined paths. > > > thanks, > > dimuthu > > > > -- > Dimuthu Leelarathne > Architect & Product Lead of App Factory > > WSO2, Inc. (http://wso2.com) > email: [email protected] > Mobile : 0773661935 > > Lean . Enterprise . Middleware > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
