|
»
»
« Return to Thread: Security Constraints problem
Re: Re: Security Constraints problem
by janb
::
Rate this Message:
Request.getRequestURI() ?
Jan
David Jencks wrote:
>
> On Jun 1, 2009, at 8:47 AM, Greg Wilkins wrote:
>
>> Jeff McAffer wrote:
>>> FYI, the Eclipse webmaster has enabled the security feature on bugzilla
>>> that limits the visibility of security related discussions in an effort
>>> to reduce exploits. Bugs can be marked as security related (on the bug
>>> itself). From that point on only committers (I believe) can read the
>>> bug. Use as your discretion.
>>
>> Cool! Good feature!
>>
>> but in this case it is a problem of a new feature in development, and is
>> not so much an exploit as a failure to login. So it good for this to
>> be open.
>>
>> Jan - any luck reproducing with the test harness?
>>
>> I'm pretty sure this is something to do with the fact that we now scope
>> for servlets before calling the security handler, so the path is
>> now split into servletPath and pathInfo depending on the mappings.
>>
>> I think the security stuff was only looking at pathInfo because it
>> used to
>> only be called before servlet scoping.
>
> Right, that's the problem. I opened bug 278887 and patched
> FormAuthenticator like this:
>
> - String uri = request.getPathInfo();
> + String uri = request.getRequestURL().toString();
>
>
> Is there a string already computed that would work as well as
> getRequestURL() and be quicker than constructing a StringBuffer and then
> a String?
>
> thanks
> david jencks
>
>>
>>
>> cheers
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this list, please visit:
>>
>> http://xircles.codehaus.org/manage_email
>>
>>
--
Jan Bartel, Webtide LLC | janb@... | http://www.webtide.com
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
Jan
David Jencks wrote:
>
> On Jun 1, 2009, at 8:47 AM, Greg Wilkins wrote:
>
>> Jeff McAffer wrote:
>>> FYI, the Eclipse webmaster has enabled the security feature on bugzilla
>>> that limits the visibility of security related discussions in an effort
>>> to reduce exploits. Bugs can be marked as security related (on the bug
>>> itself). From that point on only committers (I believe) can read the
>>> bug. Use as your discretion.
>>
>> Cool! Good feature!
>>
>> but in this case it is a problem of a new feature in development, and is
>> not so much an exploit as a failure to login. So it good for this to
>> be open.
>>
>> Jan - any luck reproducing with the test harness?
>>
>> I'm pretty sure this is something to do with the fact that we now scope
>> for servlets before calling the security handler, so the path is
>> now split into servletPath and pathInfo depending on the mappings.
>>
>> I think the security stuff was only looking at pathInfo because it
>> used to
>> only be called before servlet scoping.
>
> Right, that's the problem. I opened bug 278887 and patched
> FormAuthenticator like this:
>
> - String uri = request.getPathInfo();
> + String uri = request.getRequestURL().toString();
>
>
> Is there a string already computed that would work as well as
> getRequestURL() and be quicker than constructing a StringBuffer and then
> a String?
>
> thanks
> david jencks
>
>>
>>
>> cheers
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this list, please visit:
>>
>> http://xircles.codehaus.org/manage_email
>>
>>
--
Jan Bartel, Webtide LLC | janb@... | http://www.webtide.com
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
« Return to Thread: Security Constraints problem
| Free embeddable forum powered by Nabble | Forum Help |
