[
https://issues.apache.org/jira/browse/SLING-2870?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Timothee Maret updated SLING-2870:
----------------------------------
Description:
The current "allow.hosts" setting of the ReferrerFilter can be configured with
a list of trusted hosts.
In a setup where the list of allowed hosts is expending as the application
runs, it becomes tricky to keep the configuration in sync.
As an example, a service which supports wilcard uris such as
{{<userId>.my.service.com}} would be required to modify the reference filter
configuration for each user which is hardly doable.
Thus, I would propose to support regex patterns for the list of "allow.hosts".
which would still be secure.
The example above would be configured as: {{allow.hosts=(.*).my.service.com}}
was:
The current "allow.hosts" setting of the ReferrerFilter can be configured with
a list of trusted hosts.
In a setup where the list of allowed hosts is expending as the application
runs, it becomes tricky to keep the configuration in sync.
As an example, a service which supports wilcard uris such as
{noformat}
<userId>.my.service.com
{noformat}
would be required to modify the reference filter configuration for each user
which is hardly doable.
Thus, I would propose to support regex patterns for the list of "allow.hosts".
which would still be secure.
The example above would be configured as:
{noformat}
allow.hosts=*.my.service.com
{noformat}
> Support allowed hosts patterns in ReferrerFilter
> ------------------------------------------------
>
> Key: SLING-2870
> URL: https://issues.apache.org/jira/browse/SLING-2870
> Project: Sling
> Issue Type: Improvement
> Components: Extensions
> Affects Versions: Security 1.0.2
> Reporter: Timothee Maret
>
> The current "allow.hosts" setting of the ReferrerFilter can be configured
> with a list of trusted hosts.
> In a setup where the list of allowed hosts is expending as the application
> runs, it becomes tricky to keep the configuration in sync.
> As an example, a service which supports wilcard uris such as
> {{<userId>.my.service.com}} would be required to modify the reference filter
> configuration for each user which is hardly doable.
> Thus, I would propose to support regex patterns for the list of
> "allow.hosts". which would still be secure.
> The example above would be configured as: {{allow.hosts=(.*).my.service.com}}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
