[
https://issues.apache.org/jira/browse/JSPWIKI-566?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14286170#comment-14286170
]
Harry Metske commented on JSPWIKI-566:
--------------------------------------
David,
I did some testing. All works fine except the /admin/Admin.jsp.
A javascript error pops up after a 404 from /admin/ajax/users/User1. I sort of
fixed that by adding an extra :
<url-pattern>/admin/ajax/*</url-pattern>
to the WikiAjaxDispatcherServlet.
But then I getting not wel-formed json.
There is also still a security exposure in the ajax search. It can still search
pages you are not allowed to see.
So, if there is a page with the content :
{noformat}
[{ALLOW view UserB}]
secret1
{noformat}
You can find out that this page contains the word secret1 even if you are not
logged in.
Don't know if you van fix that too ?
And a few debug statements to be removed , but no worries.
Thanks for all your efforts so far !
> AJAX server-side rewrite
> ------------------------
>
> Key: JSPWIKI-566
> URL: https://issues.apache.org/jira/browse/JSPWIKI-566
> Project: JSPWiki
> Issue Type: Improvement
> Components: Core & storage
> Affects Versions: 2.10.1
> Reporter: Janne Jalkanen
> Assignee: David Vittor
> Attachments: ajaxDispatchServlet.patch, ajaxFunctions.patch,
> ajaxFunctions.patch, test.html
>
>
> The AJAX library we're currently using is a bit problematic, as it stores
> non-serializable stuff in the HttpSession (causing all sorts of nasty
> exception reports in default configurations of Tomcat, and preventing
> clustering). It does provide a very nice, reflection-based interface so that
> we can expose any class/method as a JSON endpoint, but this does not really
> work well with our auth system.
> We should replace the jabsorb stuff with a Stripes-native solution (possibly
> with some extensions to allow particular beans to expose methods as if we
> were using jabsorb).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
