[ https://issues.apache.org/jira/browse/JSPWIKI-566?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14286170#comment-14286170 ]
Harry Metske commented on JSPWIKI-566: -------------------------------------- David, I did some testing. All works fine except the /admin/Admin.jsp. A javascript error pops up after a 404 from /admin/ajax/users/User1. I sort of fixed that by adding an extra : <url-pattern>/admin/ajax/*</url-pattern> to the WikiAjaxDispatcherServlet. But then I getting not wel-formed json. There is also still a security exposure in the ajax search. It can still search pages you are not allowed to see. So, if there is a page with the content : {noformat} [{ALLOW view UserB}] secret1 {noformat} You can find out that this page contains the word secret1 even if you are not logged in. Don't know if you van fix that too ? And a few debug statements to be removed , but no worries. Thanks for all your efforts so far ! > AJAX server-side rewrite > ------------------------ > > Key: JSPWIKI-566 > URL: https://issues.apache.org/jira/browse/JSPWIKI-566 > Project: JSPWiki > Issue Type: Improvement > Components: Core & storage > Affects Versions: 2.10.1 > Reporter: Janne Jalkanen > Assignee: David Vittor > Attachments: ajaxDispatchServlet.patch, ajaxFunctions.patch, > ajaxFunctions.patch, test.html > > > The AJAX library we're currently using is a bit problematic, as it stores > non-serializable stuff in the HttpSession (causing all sorts of nasty > exception reports in default configurations of Tomcat, and preventing > clustering). It does provide a very nice, reflection-based interface so that > we can expose any class/method as a JSON endpoint, but this does not really > work well with our auth system. > We should replace the jabsorb stuff with a Stripes-native solution (possibly > with some extensions to allow particular beans to expose methods as if we > were using jabsorb). -- This message was sent by Atlassian JIRA (v6.3.4#6332)