if you have foo.jsp in the webapp root and foo.jsp contains any sensitive information (password but also just some algorithm used for security or headers...) then the raw jsp will be exposed to the client (not interpreted)
Romain Manni-Bucau Twitter: @rmannibucau Blog: http://rmannibucau.wordpress.com/ LinkedIn: http://fr.linkedin.com/in/rmannibucau Github: https://github.com/rmannibucau 2014-09-18 21:25 GMT+02:00 Bjorn Danielsson <[email protected]>: > Romain, could you please remind me what this security issue is? > > I am mixing jaxrs POJOs with servlet filters doing authorization, > and doing forwards to jsp and other resources in the middle of > everything, so I'll be happy to test this (on trunk I assume). > > -- > Bjorn Danielsson > Cuspy Code AB > > > Romain Manni-Bucau <[email protected]> wrote: >> Hi guys >> >> anyone with time to review my last days hacking to fix our jaxrs >> issue? idea is to replace jaxrs servlet by a filter coming at the end >> of the chain (to still be able to do security etc ;)). This way if the >> resource exists we just delegate to the servlet handling it (jsp...). >> >> What needs to be done: review what I did didn't introduce a regression >> I could have missed >> >> open point: in org.apache.tomee.webservices.CXFJAXRSFilter#doFilter we >> can desire add few "rule" to say "that's a resource urls (thought to >> suffix like .css, .js...)" and in this case forget about JAXRS. That >> said not sure it would be used that much so I didn't want to add it >> *now*. >> >> Once sby validated it is ok then I'll backport it on 1.7 branch >> >> >> >> >> Romain Manni-Bucau >> Twitter: @rmannibucau >> Blog: http://rmannibucau.wordpress.com/ >> LinkedIn: http://fr.linkedin.com/in/rmannibucau >> Github: https://github.com/rmannibucau
