Bug 1021783 - Update product errai docs to include security warning
Update product errai docs to include security warning
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise WFK Platform 2
Classification: JBoss
Component: doc-Errai-Reference-Guide (Show other bugs)
2.3.0
Unspecified Unspecified
high Severity high
: ---
: 2.4.0
Assigned To: Ankit Patel
Emil Cervenan
:
Depends On:
Blocks: 997247
  Show dependency treegraph
 
Reported: 2013-10-22 01:58 EDT by David Jorm
Modified: 2014-11-10 04:29 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-11-10 04:29:11 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Jorm 2013-10-22 01:58:48 EDT
Document URL: 

https://access.redhat.com/site/documentation/en-US/Red_Hat_JBoss_Web_Framework_Kit/2.3/html-single/Errai_Reference_Guide/index.html#idm72969760

Describe the issue: 

The default errai bus servlet mapping in our documentation:

http://docs.jboss.org/errai/2.4.0.Beta1/errai/reference/html/sid-5931334.html#sid-5931336

Maps *.erraiBus to the errai servlet, without specifying any further path:

  <servlet-mapping>
    <servlet-name>ErraiServlet</servlet-name>
    <url-pattern>*.erraiBus</url-pattern>
  </servlet-mapping>

This can potentially conflict with the intended security constraint applied to the whole application.

Suggestions for improvement:

An XML comment should be added above each servlet-mapping example to highlight this:

<!--
SECURITY WARNING:
This wildcard mapping allows ErraiBus to communicate from any point in your application's URI hierarchy. For example, all of the following are equivalent from Errai's point of view:

/in.erraiBus
/foo/bar/in.erraiBus
/long/path/to/get/to.erraiBus

If you rely on your own security rules or a custom security filter (rather than the security framework within ErraiBus) ensure you use the same mapping pattern for that filter or security-constraint as you do for the Errai Servlet itself.
-->

Alternatively, we could add a single admonition to the docs rather than an XML comment in each example.

Additional information:
Comment 1 Petr Penicka 2013-10-23 05:18:54 EDT
Security warning added to the docs for the upcoming WFK 2.4 release [1], and also to the already released WFK 2.3. A ticket [2] was filed for release engineering to update the 2.3 book on the Customer Portal.

[1]http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_JBoss_Web_Framework_Kit/2.4/html-single/Errai_Reference_Guide/index.html
[2] https://engineering.redhat.com/rt/Ticket/Display.html?id=261185
Comment 2 Pavel SLegr 2013-10-23 06:18:02 EDT
thanks Petr !
Comment 3 Matous Jobanek 2013-10-31 10:55:45 EDT
Verified in both WFK 2.3 and WFK 2.4 docs

Note You need to log in before you can comment on or make changes to this bug.