Announcement Announcement Module
Collapse
No announcement yet.
potential security risk with roo 1.1.0.M3 "/resources/spring/**" mapping Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • potential security risk with roo 1.1.0.M3 "/resources/spring/**" mapping

    Hi,
    What i noticed while upgrading my roo test app from roo version 1.1.0.M1 to 1.1.0.M3 was that
    Roo 1.1.0.M3 handles resources mappings differently compared to older versions -
    instead of urlrewrite it uses <mvc:resources /> tag to map static resources.

    One particular line that by default could cause security risk is following, that is automatically added to webmvc-config.xml by roo:
    Code:
    <mvc:resources location="classpath:/META-INF/spring/" mapping="/resources/spring/**"/>
    Since Roo also places many project specific files to /META-INF/spring/ folder(
    applicationContext-jms.xml, applicationContext.xml, applicationContext-security.xml, database.properties, email.properties, ...), they also get handled the same way that static resources (such as Spring.js) and be seen from the web. For example:
    http://somehost/rooapp/resources/spr...t-security.xml

    One obvious solution would just relocate my application specific files to another location, but that would mess up the project folder structure.

    The other solution would be removing <mvc:resources /> tag and handle /resources/spring mapping with urlrewrite - just like it was done before.

    Any thoughts regarding the best solution to this issue?

  • #2
    Originally posted by atsuk View Post
    Any thoughts regarding the best solution to this issue?
    Unfortunately nobody has replied - It would be a shame if this security issue made it through to the ROO-1.1.0.RELEASE.
    I created an issue based on this thread - ROO-1388

    Comment


    • #3
      Note that spring web flow will soon provide a different resource directory for the js files it bundles in its jars:

      https://jira.springframework.org/browse/SWF-1388

      Meantime, an alternative that maintains your directory structure is to pull Spring.js and Spring-dojo.js out of the jar and into your own local directory, then remove the mapping to /resources/spring/**.

      Comment


      • #4
        @atsuk,

        Thanks for raising this issue and reporting it in Jira. As mikej explained we needed to wait for a fix in Spring Web Flow to adjust the Roo scaffolding accordingly. This has now been fixed. Please see https://jira.springframework.org/browse/ROO-1388 for details.

        Comment

        Working...
        X