Bug 1021783

Summary: Update product errai docs to include security warning
Product: [Retired] JBoss Enterprise WFK Platform 2 Reporter: David Jorm <djorm>
Component: doc-Errai-Reference-GuideAssignee: Ankit Patel <ankit>
Status: CLOSED CURRENTRELEASE QA Contact: Emil Cervenan <ecervena>
Severity: high Docs Contact:
Priority: high    
Version: 2.3.0CC: aneelica, csadilek, jfuerth, kpiwko, mjc, mjobanek, pslegr, rruss
Target Milestone: ---   
Target Release: 2.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-10 09:29:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 997247    

Description David Jorm 2013-10-22 05:58:48 UTC
Document URL: 

https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Web_Framework_Kit/2.3/html-single/Errai_Reference_Guide/index.html#idm72969760

Describe the issue: 

The default errai bus servlet mapping in our documentation:

http://docs.jboss.org/errai/2.4.0.Beta1/errai/reference/html/sid-5931334.html#sid-5931336

Maps *.erraiBus to the errai servlet, without specifying any further path:

  <servlet-mapping>
    <servlet-name>ErraiServlet</servlet-name>
    <url-pattern>*.erraiBus</url-pattern>
  </servlet-mapping>

This can potentially conflict with the intended security constraint applied to the whole application.

Suggestions for improvement:

An XML comment should be added above each servlet-mapping example to highlight this:

<!--
SECURITY WARNING:
This wildcard mapping allows ErraiBus to communicate from any point in your application's URI hierarchy. For example, all of the following are equivalent from Errai's point of view:

/in.erraiBus
/foo/bar/in.erraiBus
/long/path/to/get/to.erraiBus

If you rely on your own security rules or a custom security filter (rather than the security framework within ErraiBus) ensure you use the same mapping pattern for that filter or security-constraint as you do for the Errai Servlet itself.
-->

Alternatively, we could add a single admonition to the docs rather than an XML comment in each example.

Additional information:

Comment 1 Petr Penicka 2013-10-23 09:18:54 UTC
Security warning added to the docs for the upcoming WFK 2.4 release [1], and also to the already released WFK 2.3. A ticket [2] was filed for release engineering to update the 2.3 book on the Customer Portal.

[1]http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_JBoss_Web_Framework_Kit/2.4/html-single/Errai_Reference_Guide/index.html
[2] https://engineering.redhat.com/rt/Ticket/Display.html?id=261185

Comment 2 Pavel SLegr 2013-10-23 10:18:02 UTC
thanks Petr !

Comment 3 Matous Jobanek 2013-10-31 14:55:45 UTC
Verified in both WFK 2.3 and WFK 2.4 docs