Announcement Announcement Module
No announcement yet.
potential security risk with roo 1.1.0.M3 "/resources/spring/**" mapping Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • potential security risk with roo 1.1.0.M3 "/resources/spring/**" mapping

    What i noticed while upgrading my roo test app from roo version 1.1.0.M1 to 1.1.0.M3 was that
    Roo 1.1.0.M3 handles resources mappings differently compared to older versions -
    instead of urlrewrite it uses <mvc:resources /> tag to map static resources.

    One particular line that by default could cause security risk is following, that is automatically added to webmvc-config.xml by roo:
    <mvc:resources location="classpath:/META-INF/spring/" mapping="/resources/spring/**"/>
    Since Roo also places many project specific files to /META-INF/spring/ folder(
    applicationContext-jms.xml, applicationContext.xml, applicationContext-security.xml,,, ...), they also get handled the same way that static resources (such as Spring.js) and be seen from the web. For example:

    One obvious solution would just relocate my application specific files to another location, but that would mess up the project folder structure.

    The other solution would be removing <mvc:resources /> tag and handle /resources/spring mapping with urlrewrite - just like it was done before.

    Any thoughts regarding the best solution to this issue?

  • #2
    Originally posted by atsuk View Post
    Any thoughts regarding the best solution to this issue?
    Unfortunately nobody has replied - It would be a shame if this security issue made it through to the ROO-1.1.0.RELEASE.
    I created an issue based on this thread - ROO-1388


    • #3
      Note that spring web flow will soon provide a different resource directory for the js files it bundles in its jars:

      Meantime, an alternative that maintains your directory structure is to pull Spring.js and Spring-dojo.js out of the jar and into your own local directory, then remove the mapping to /resources/spring/**.


      • #4

        Thanks for raising this issue and reporting it in Jira. As mikej explained we needed to wait for a fix in Spring Web Flow to adjust the Roo scaffolding accordingly. This has now been fixed. Please see for details.