[jira] Commented: (MYFACES-473) cannot use AddResource class to add resources of own components

Wed, 31 Aug 2005 04:50:10 -0700 

    [ 
http://issues.apache.org/jira/browse/MYFACES-473?page=comments#action_12320684 
] 

Sylvain Vieujot commented on MYFACES-473:
-----------------------------------------

The reason for this security check is that without it, you could use the filter 
with a crafted class name to access any file in a "resource" directory.

We could create a white list, with a register method :

private static Set registeredClasses = new HashSet();

public static AddResource.registerAccess(Class clazz){
    registeredClasses.add( clazz);
}

And in the code, check if the class is registered before delivering the 
requested file.
This would need a few other minor modifications, but it shouldn't be too hard.

If you can prepare a patch it would be great !

Thanks,

Sylvain.

> cannot use AddResource class to add resources of own components
> ---------------------------------------------------------------
>
>          Key: MYFACES-473
>          URL: http://issues.apache.org/jira/browse/MYFACES-473
>      Project: MyFaces
>         Type: Improvement
>   Components: Tomahawk
>     Versions: Nightly Build
>     Reporter: Csaba Sebastian

>
> I wrote a new component based on MyFaces, and this component has an external 
> JS resource. While rendering, I want to add the reference of this resource by 
> the AddResource class: I tried simply to call 
> AddResource.addJavaScriptToHeader(...). But unfortunately this function can 
> handle only the resources of the MyFaces components, because of the line 203:
>    if( ! name.startsWith(COMPONENTS_PACKAGE) ){   log.error(  ....
> If I write my own AddResource class (functions like yours), the 
> ExtensionsFilter still references the old AddReource class (between lines 106 
> and 132), so I need to implement a new ExtensionFilter to handle my resources 
> well.
> This solution of my problem works, but I won't use it. I need a more 
> structured solution. What shall I do to use the original AddResource class? 
> And what are these ?security reasons", why the restriction to the package 
> name is required?

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

Reply via email to