Improve default security of Shale Remoting
------------------------------------------
Key: SHALE-362
URL: http://issues.apache.org/struts/browse/SHALE-362
Project: Shale
Issue Type: Bug
Components: Remoting
Affects Versions: 1.0.4-SNAPSHOT
Reporter: Craig McClanahan
Fix For: 1.0.4-SNAPSHOT
The current "out of the box" security of Shale Remoting is better (in
1.0.4-SNAPSHOT) than it was in 1.0.3, but still needs to be improved:
* "Dynamic" processor should exclude by default all managed bean
names that are implicitly defined in the JSF spec, and have public
zero-args methods that might mess things up. (Example: executing
#{applicationScope.clear} would be bad.
* All processors should be enhanced to *always* obey their default
exclude lists, even if the user specifies additional exclude patterns.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/struts/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
