Thanks for the response. I've only been using Jetspeed for about 2 weeks now and just joined the dev list yesterday. The patch was really just a quick hack to placate management's concerns about security. I probably should have posted my concerns about security before posting a patch, I apologize.
p.s. Is there a copy of the proposal for the new security? If there is, I would like to look at it you do not mind. Thanks, Scott > -----Original Message----- > From: Santiago Gala [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, June 25, 2002 4:43 AM > To: Jetspeed Developers List > Subject: Re: psml profile "spoofing", a possible security hole > > > Weaver, Scott wrote: > > >I have noticed in jetspeed(1.3a3) that a user can spoof > another user's psml > >profile by copying a URL with psml information into the > location bar. This > >is also possible when not logged in (as anon). > > > > > As Glenn said, this is due to the fact that security for > portletsets/psml is not in place. There should not be hardwired > restriction here, but a proper security implementation. The > version in > tag Security_14 does not dehave like this, and the current > cvs version > will not behave like this in the following days. > > >Scenario: > > > >1. User logs in as User_A. > >2. User clicks a tab, then copies the URL: > ><http://localhost:8080/jetspeed/portal/user/user_a/page/defau > lt.psml/js_pane > >/P-ee8a3d53d3-10048> > >4. User then logs out as User_A. > >5. Now the User (not logged in at all) copies the above url into the > >browser. User_A's psml > >profile is now available to the Anon user. > > > >Portlets with security are restricted (good), however, all > information that > >is not specifically secured is available. IMOHO, there > should be no way to > >access one user's psml profile from another or by anon. I > have patched the > >problem and included it below. > > > >If this problem has already been addressed or if I'm totally > off base, > >please let me know. > > > >Thanks, > >Scott > > > >Index: > >src/java/org/apache/jetspeed/modules/actions/JetspeedAccessCo > ntroller.java > >=================================================================== > >RCS file: > >/home/cvspublic/jakarta-jetspeed/src/java/org/apache/jetspeed > /modules/action > >s/JetspeedAccessController.java,v > >retrieving revision 1.4 > >diff -u -r1.4 JetspeedAccessController.java > >--- > >src/java/org/apache/jetspeed/modules/actions/JetspeedAccessCo > ntroller.java > >14 May 2002 17:35:32 -0000 1.4 > >+++ > >src/java/org/apache/jetspeed/modules/actions/JetspeedAccessCo > ntroller.java > >24 Jun 2002 20:42:41 -0000 > >@@ -94,6 +94,22 @@ > > } > > > > // get the profile and store it in the RunData > >+ > >+ // This prevents one user from even seeing another's pane > >+ String requestedUser = > jdata.getParameters().getString("user","-1"); > >+ String sessionUser = jdata.getUser().getUserName(); > >+ // Prevent anon from accessing other panes > >+ if(sessionUser == null && !requestedUser.equals(" -1")) > >+ { > >+ jdata.getParameters().remove("user"); > >+ } > >+ // Prevent one person from accessing another's pane > >+ else if(!sessionUser.equalsIgnoreCase(requestedUser)) > >+ { > >+ jdata.getParameters().remove("user"); > >+ jdata.getParameters().add("user",sessionUser); > >+ } > >+ > > Profile newProfile = Profiler.getProfile(jdata); > > Profile currentProfile = jdata.getProfile(); > > > > > > > > > > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
