[ 
https://issues.apache.org/jira/browse/JSPWIKI-566?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14286170#comment-14286170
 ] 

Harry Metske commented on JSPWIKI-566:
--------------------------------------

David,

I did some testing. All works fine except the /admin/Admin.jsp.
A javascript error pops up after a 404 from /admin/ajax/users/User1. I sort of 
fixed that by adding an extra :
        <url-pattern>/admin/ajax/*</url-pattern>
to the WikiAjaxDispatcherServlet.
But then I getting not wel-formed json.

There is also still a security exposure in the ajax search. It can still search 
pages you are not allowed to see.
So, if there is a page with the content :
{noformat}
[{ALLOW view UserB}]
secret1
{noformat}

You can find out that this page contains the word secret1 even if you are not 
logged in.
Don't know if you van fix that too ?

And a few debug statements to be removed , but no worries.

Thanks for all your efforts so far !

> AJAX server-side rewrite
> ------------------------
>
>                 Key: JSPWIKI-566
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-566
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Core & storage
>    Affects Versions: 2.10.1
>            Reporter: Janne Jalkanen
>            Assignee: David Vittor
>         Attachments: ajaxDispatchServlet.patch, ajaxFunctions.patch, 
> ajaxFunctions.patch, test.html
>
>
> The AJAX library we're currently using is a bit problematic, as it stores 
> non-serializable stuff in the HttpSession (causing all sorts of nasty 
> exception reports in default configurations of Tomcat, and preventing 
> clustering).  It does provide a very nice, reflection-based interface so that 
> we can expose any class/method as a JSON endpoint, but this does not really 
> work well with our auth system.
> We should replace the jabsorb stuff with a Stripes-native solution (possibly 
> with some extensions to allow particular beans to expose methods as if we 
> were using jabsorb).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to