[ http://issues.apache.org/struts/browse/SHALE-362?page=all ]
Craig McClanahan resolved SHALE-362.
------------------------------------
Resolution: Fixed
Fixed in nightly build 20061213, although a remaining issue of no default
"includes" list for the dynamic processor remains to be considered (see
SHALE-344).
> Improve default security of Shale Remoting
> ------------------------------------------
>
> Key: SHALE-362
> URL: http://issues.apache.org/struts/browse/SHALE-362
> Project: Shale
> Issue Type: Bug
> Components: Remoting
> Affects Versions: 1.0.4-SNAPSHOT
> Reporter: Craig McClanahan
> Fix For: 1.0.4-SNAPSHOT
>
>
> The current "out of the box" security of Shale Remoting is better (in
> 1.0.4-SNAPSHOT) than it was in 1.0.3, but still needs to be improved:
> * "Dynamic" processor should exclude by default all managed bean
> names that are implicitly defined in the JSF spec, and have public
> zero-args methods that might mess things up. (Example: executing
> #{applicationScope.clear} would be bad.
> * All processors should be enhanced to *always* obey their default
> exclude lists, even if the user specifies additional exclude patterns.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/struts/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
