OK, I have now tested my webapp with trunk from this morning. All my filters and servlets and JAX-RS stuff and request- forwarding worked as expected, except that I had to change my @Path-annotated POJO into an @ApplicationPath-annotated subclass of javax.ws.rs.core.Application, otherwise a special legacy servlet (a third-party WebDAV servlet) couldn't be invoked. I realized that this was a bug on my part, and after making the change all is good.
-- Bjorn Danielsson Cuspy Code AB Romain Manni-Bucau <[email protected]> wrote: > if you have foo.jsp in the webapp root and foo.jsp contains any > sensitive information (password but also just some algorithm used for > security or headers...) then the raw jsp will be exposed to the client > (not interpreted) > > > Romain Manni-Bucau > Twitter: @rmannibucau > Blog: http://rmannibucau.wordpress.com/ > LinkedIn: http://fr.linkedin.com/in/rmannibucau > Github: https://github.com/rmannibucau > > > 2014-09-18 21:25 GMT+02:00 Bjorn Danielsson > <[email protected]>: >> Romain, could you please remind me what this security issue is? >> >> I am mixing jaxrs POJOs with servlet filters doing authorization, >> and doing forwards to jsp and other resources in the middle of >> everything, so I'll be happy to test this (on trunk I assume). >> >> -- >> Bjorn Danielsson >> Cuspy Code AB >> >> >> Romain Manni-Bucau <[email protected]> wrote: >>> Hi guys >>> >>> anyone with time to review my last days hacking to fix our jaxrs >>> issue? idea is to replace jaxrs servlet by a filter coming at the end >>> of the chain (to still be able to do security etc ;)). This way if the >>> resource exists we just delegate to the servlet handling it (jsp...). >>> >>> What needs to be done: review what I did didn't introduce a regression >>> I could have missed >>> >>> open point: in org.apache.tomee.webservices.CXFJAXRSFilter#doFilter we >>> can desire add few "rule" to say "that's a resource urls (thought to >>> suffix like .css, .js...)" and in this case forget about JAXRS. That >>> said not sure it would be used that much so I didn't want to add it >>> *now*. >>> >>> Once sby validated it is ok then I'll backport it on 1.7 branch >>> >>> >>> >>> >>> Romain Manni-Bucau >>> Twitter: @rmannibucau >>> Blog: http://rmannibucau.wordpress.com/ >>> LinkedIn: http://fr.linkedin.com/in/rmannibucau >>> Github: https://github.com/rmannibucau
