Uploaded image for project: 'Spring Roo'
  1. Spring Roo
  2. ROO-271

/WEB-INF and other resources not secured

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.0.0.RC2
    • Fix Version/s: 1.0.0.RC3
    • Component/s: WEB MVC
    • Labels:
      None
    • Environment:
      Windows, Tomcat 6, ROO build 328 (and earlier)

      Description

      In generated project, resources that should be protected by web config can be accessed in a browser by simply using the /static path:

      http://localhost:8080/myproject/static/WEB-INF/web.xml

        Activity

        Hide
        balex Ben Alex added a comment -

        Users affected by this bug should modify their urlrewrite.xml file (located in src/main/webapp/WEB-INF) to:

        <urlrewrite default-match-type="wildcard">
        	<rule>
        		<from>/resources/**</from>
        		<to last="true">/resources/$1</to>
        	</rule>
        	<rule>
        		<from>/static/WEB-INF/**</from>
        		<set type="status">403</set>
        		<to last="true">/static/WEB-INF/$1</to>
        	</rule>
        	<rule>
        		<from>/static/**</from>
        		<to last="true">/$1</to>
        	</rule>
        	<rule>
        		<from>/</from>
        		<to last="true">/app/index</to>		
        	</rule>
        	<rule>
        		<from>/app/**</from>
        		<to last="true">/app/$1</to>
        	</rule>
        	<rule>
        		<from>/**</from>
        		<to>/app/$1</to>
        	</rule>
        	<outbound-rule>
        		<from>/app/**</from>
        		<to>/$1</to>
        	</outbound-rule>	
        </urlrewrite>

        Show
        balex Ben Alex added a comment - Users affected by this bug should modify their urlrewrite.xml file (located in src/main/webapp/WEB-INF) to: <urlrewrite default-match-type="wildcard"> <rule> <from>/resources/**</from> <to last="true">/resources/$1</to> </rule> <rule> <from>/static/WEB-INF/**</from> <set type="status">403</set> <to last="true">/static/WEB-INF/$1</to> </rule> <rule> <from>/static/**</from> <to last="true">/$1</to> </rule> <rule> <from>/</from> <to last="true">/app/index</to> </rule> <rule> <from>/app/**</from> <to last="true">/app/$1</to> </rule> <rule> <from>/**</from> <to>/app/$1</to> </rule> <outbound-rule> <from>/app/**</from> <to>/$1</to> </outbound-rule> </urlrewrite>
        Hide
        balex Ben Alex added a comment -

        Fix to urlrewrite-template.xml checked into SVN as revision 329.

        Users with existing projects should modify their urlrewrite.xml template in accordance with the above comment, and perform comprehensive testing to ensure the project is corrected.

        Show
        balex Ben Alex added a comment - Fix to urlrewrite-template.xml checked into SVN as revision 329. Users with existing projects should modify their urlrewrite.xml template in accordance with the above comment, and perform comprehensive testing to ensure the project is corrected.

          People

          • Assignee:
            balex Ben Alex
            Reporter:
            mikej Mike J
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: