jsr372-experts@javaserverfaces-spec-public.java.net

[jsr372-experts] Re: [jsr372-experts mirror] Re: [1359-views] DISCUSSION

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Wed, 11 Mar 2015 22:26:58 +0100

Hi,

On Wed, Mar 11, 2015 at 8:51 PM, Frank Caputo <frank_at_frankcaputo.de> wrote:
> But this won’t fix the security issue for other facelets than views, right?

True, so a default *.xhtml mapping is then still needed as well. That
would make JSF secure by default wrt to this specific issue for all
cases.

Eventually the hope would be that people put all their views in the
secure location WEB-INF/views. If the runtime and libraries would
slowly start to implicitly require that by only supporting certain new
features (such as extensionless mapping) for views in that folder,
then I'd figure people would migrate to that as well.

With respect to security, the alternative is to make WEB-INF/views the
only location, and to change the default for /resources to be
WEB-INF/resources, /contracts to WEB-INF/contracts, etc. This is a
somewhat bigger change which require people to do more work when
upgrading.

Of course, whatever approach is chosen, there should be switches to
opt-out and revert to the old behavior. These switches should contain
warnings in their documentation and perhaps cause a warning to be
logged as well, that there's a risk for source code exposure. In that
case however it would be the user who explicitly has to opt-out of a
secure default and opt-in to a potentially non-secure situation.

Currently it's the other way around, and I'm fairly sure that many
users are now completely oblivious to the fact their source is being
exposed.

Unfortunately no solution that's proposed to this date is truly
perfect, each one has its own pros and cons. If anyone has any better
idea still I'm of course all ears.

Kind regards,
Arjan



>
> Ciao Frank