[jira] [Commented] (SCB-1263) forward request in edge should not inherit cse-context

YaoHaishi (JIRA) Fri, 19 Apr 2019 02:51:06 -0700


    [ 
https://issues.apache.org/jira/browse/SCB-1263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16821813#comment-16821813
 ]


YaoHaishi commented on SCB-1263:
--------------------------------

Agree with wujimin. Since the EdgeService is facing the request from outside, 
there is a high risk to allow callers outside to inject value into 
InvocationContext.
If users want to receive InvocationContext in such situation, they can easily 
achieve it by extending a HttpServerFilter.

> forward request in edge should not inherit cse-context
> ------------------------------------------------------
>
>                 Key: SCB-1263
>                 URL: https://issues.apache.org/jira/browse/SCB-1263
>             Project: Apache ServiceComb
>          Issue Type: Task
>          Components: Java-Chassis
>            Reporter: wujimin
>            Assignee: YaoHaishi
>            Priority: Major
>             Fix For: java-chassis-1.3.0
>
>
> to avoid attacker to falsify the credentials of other users



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (SCB-1263) forward request in edge should not inherit cse-context

Reply via email to