great,thanks for the feedback
Romain Manni-Bucau Twitter: @rmannibucau Blog: http://rmannibucau.wordpress.com/ LinkedIn: http://fr.linkedin.com/in/rmannibucau Github: https://github.com/rmannibucau 2014-09-26 18:28 GMT+02:00 Bjorn Danielsson <[email protected]>: > OK, I have now tested my webapp with trunk from this morning. > All my filters and servlets and JAX-RS stuff and request- > forwarding worked as expected, except that I had to change > my @Path-annotated POJO into an @ApplicationPath-annotated > subclass of javax.ws.rs.core.Application, otherwise a special > legacy servlet (a third-party WebDAV servlet) couldn't be invoked. > I realized that this was a bug on my part, and after making the > change all is good. > > -- > Bjorn Danielsson > Cuspy Code AB > > > Romain Manni-Bucau <[email protected]> wrote: >> if you have foo.jsp in the webapp root and foo.jsp contains any >> sensitive information (password but also just some algorithm used for >> security or headers...) then the raw jsp will be exposed to the client >> (not interpreted) >> >> >> Romain Manni-Bucau >> Twitter: @rmannibucau >> Blog: http://rmannibucau.wordpress.com/ >> LinkedIn: http://fr.linkedin.com/in/rmannibucau >> Github: https://github.com/rmannibucau >> >> >> 2014-09-18 21:25 GMT+02:00 Bjorn Danielsson >> <[email protected]>: >>> Romain, could you please remind me what this security issue is? >>> >>> I am mixing jaxrs POJOs with servlet filters doing authorization, >>> and doing forwards to jsp and other resources in the middle of >>> everything, so I'll be happy to test this (on trunk I assume). >>> >>> -- >>> Bjorn Danielsson >>> Cuspy Code AB >>> >>> >>> Romain Manni-Bucau <[email protected]> wrote: >>>> Hi guys >>>> >>>> anyone with time to review my last days hacking to fix our jaxrs >>>> issue? idea is to replace jaxrs servlet by a filter coming at the end >>>> of the chain (to still be able to do security etc ;)). This way if the >>>> resource exists we just delegate to the servlet handling it (jsp...). >>>> >>>> What needs to be done: review what I did didn't introduce a regression >>>> I could have missed >>>> >>>> open point: in org.apache.tomee.webservices.CXFJAXRSFilter#doFilter we >>>> can desire add few "rule" to say "that's a resource urls (thought to >>>> suffix like .css, .js...)" and in this case forget about JAXRS. That >>>> said not sure it would be used that much so I didn't want to add it >>>> *now*. >>>> >>>> Once sby validated it is ok then I'll backport it on 1.7 branch >>>> >>>> >>>> >>>> >>>> Romain Manni-Bucau >>>> Twitter: @rmannibucau >>>> Blog: http://rmannibucau.wordpress.com/ >>>> LinkedIn: http://fr.linkedin.com/in/rmannibucau >>>> Github: https://github.com/rmannibucau
