Uploaded image for project: 'Spring Roo'
  1. Spring Roo
  2. ROO-1388

Security issue with roo 1.1.0.M3

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.1.0.M3
    • Fix Version/s: 1.1.0.RC1
    • Component/s: SECURITY, WEB MVC
    • Labels:
      None

      Description

      Roo 1.1.0.M3 handles resources mappings differently compared to older versions -
      instead of urlrewrite it uses <mvc:resources /> tag to map static resources.

      One particular line that by default could cause security risk is following, that is automatically added to webmvc-config.xml by roo:

       
      <mvc:resources location="classpath:/META-INF/spring/" mapping="/resources/spring/**"/>
      

      Since Roo also places many project specific files to /META-INF/spring/ folder(
      applicationContext-jms.xml, applicationContext.xml, applicationContext-security.xml, database.properties, email.properties, ...), they also get handled the same way that static resources (such as Spring.js) and be seen from the web. For example:
      http://somehost/rooapp/resources/spring/applicationContext-security.xml

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              sschmidt Stefan Schmidt
              Reporter:
              atsuk Ats U.
              Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: