Document URL: https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Web_Framework_Kit/2.3/html-single/Errai_Reference_Guide/index.html#idm72969760 Describe the issue: The default errai bus servlet mapping in our documentation: http://docs.jboss.org/errai/2.4.0.Beta1/errai/reference/html/sid-5931334.html#sid-5931336 Maps *.erraiBus to the errai servlet, without specifying any further path: <servlet-mapping> <servlet-name>ErraiServlet</servlet-name> <url-pattern>*.erraiBus</url-pattern> </servlet-mapping> This can potentially conflict with the intended security constraint applied to the whole application. Suggestions for improvement: An XML comment should be added above each servlet-mapping example to highlight this: <!-- SECURITY WARNING: This wildcard mapping allows ErraiBus to communicate from any point in your application's URI hierarchy. For example, all of the following are equivalent from Errai's point of view: /in.erraiBus /foo/bar/in.erraiBus /long/path/to/get/to.erraiBus If you rely on your own security rules or a custom security filter (rather than the security framework within ErraiBus) ensure you use the same mapping pattern for that filter or security-constraint as you do for the Errai Servlet itself. --> Alternatively, we could add a single admonition to the docs rather than an XML comment in each example. Additional information:
Security warning added to the docs for the upcoming WFK 2.4 release [1], and also to the already released WFK 2.3. A ticket [2] was filed for release engineering to update the 2.3 book on the Customer Portal. [1]http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_JBoss_Web_Framework_Kit/2.4/html-single/Errai_Reference_Guide/index.html [2] https://engineering.redhat.com/rt/Ticket/Display.html?id=261185
thanks Petr !
Verified in both WFK 2.3 and WFK 2.4 docs