Ok, thanks. But then how can we secure the repository from malicious code but still giving a remote access to a nuxeo client app we wrote ?
Thanks a lot. Nel 2010/3/25 Florent Guillaume <[email protected]>: > Did you actually get an answer? > The short one is that no, it's not possible: Nuxeo Shell uses JBoss > Remoting, which is designed as an equivalent to RMI and provides > roughly full JVM access. So even if the shell superficially required > credentials, underlying this the protocol would still be open to > someone that compiled his own shell. > > Florent > > On Mon, Mar 22, 2010 at 5:35 PM, Nel Taurisson <[email protected]> > wrote: >> Sorry, hit the button to fast. >> >> Thanks a lot for your answers. >> Regards >> >> Nel >> >> >> >> >> 2010/3/22 Nel Taurisson <[email protected]>: >>> Hi, >>> >>> It seems to me that it is possible to connect to a remote nuxeo repo >>> without any credential and have full read / write access to the repo. >>> >>> Maybe I'm missing a configuration property or something, but I'm >>> affraid I can execute the following code either on nuxeo 5.2 or 5.3 : >>> >>> Collection<File> files = null; >>> String bundles = System.getProperty("nuxeo.bundles"); >>> if (bundles != null) { >>> files = NuxeoApp.getBundleFiles(new File("."), bundles, ":"); >>> } >>> >>> NuxeoApp app = new NuxeoApp(); >>> app.start(); >>> >>> if (files != null) { >>> app.deployBundles(files); >>> } >>> >>> NuxeoClient client = NuxeoClient.getInstance(); >>> >>> client.tryConnect("localhost", 62474); >>> >>> RepositoryInstance repo = client.openRepository() ; >>> CoreSession documentManager = repo.getSession() ; >>> >>> DocumentModel doc = documentManager.getDocument( new PathRef( >>> "/default-domain" ) ) ; >>> doc.setPropertyValue( "dc:description" , "I could have killed your >>> repo" ) ; >>> doc = documentManager.saveDocument( doc ) ; >>> documentManager.save() ; >>> >>> System.out.println( documentManager.getDocument( new PathRef( >>> "/default-domain" ) ).getPropertyValue( "dc:description" ) ) ; >>> >>> repo.close() ; >>> >> > > > -- > Florent Guillaume, Director of R&D, Nuxeo > Open Source, Java EE based, Enterprise Content Management (ECM) > http://www.nuxeo.com http://www.nuxeo.org +33 1 40 33 79 87 > _______________________________________________ ECM mailing list [email protected] http://lists.nuxeo.com/mailman/listinfo/ecm To unsubscribe, go to http://lists.nuxeo.com/mailman/options/ecm
