Security in Remoting: ClassResourceProcessor - Bernhard Slominski - org.apache.shale.dev

6 messages in org.apache.shale.devSecurity in Remoting: ClassResourcePr...

From	Sent On	Attachments
Bernhard Slominski	Nov 29, 2006 5:40 am
Hermod Opstvedt	Nov 29, 2006 9:33 am
Craig McClanahan	Nov 29, 2006 11:48 am
Bernhard Slominski	Nov 29, 2006 10:11 pm
Craig McClanahan	Nov 30, 2006 3:07 pm
Bernhard Slominski	Dec 1, 2006 5:30 am

Subject:	Security in Remoting: ClassResourceProcessor
From:	Bernhard Slominski (bern...@zooplus.com)
Date:	Nov 29, 2006 5:40:42 am
List:	org.apache.shale.dev

Hi,

I think the current implementation of the ClassResourceProcessor is a security issue. The ClassResourceProcessor exposes all files in the classpath and it's enable by default. If you have e.g. your database passwords in properties files you just have to know the name and path to the file and you can read the content of the file. So I think it should at least be disabled by default.

Bernhard

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets