[jboss-jira] [JBoss JIRA] (WFLY-705) Implement a User Agent and Remote Address Filter for the HTTP Management Interface

Andre Dietisheim (JIRA) issues at jboss.org
Fri Dec 13 11:56:35 EST 2013 

    [ https://issues.jboss.org/browse/WFLY-705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12931205#comment-12931205 ] 

Andre Dietisheim edited comment on WFLY-705 at 12/13/13 11:54 AM:
------------------------------------------------------------------

Stuard Douglas updated the handler in undertow to a more generic form that allows you to do some regex-acl against ANY request header. Personnally this very much matches my gusto. I saw some behaviour I'm not sure about though:

The handler would check the request header attribute for being null. If it is, it would disallow. I'm wondering if it's not also possible that a non-existing user-agent is considered valid. 

updated PR: https://github.com/undertow-io/undertow/pull/148
                
      was (Author: adietish):
    Stuard Douglas updated the handler in undertow to a more generic form that allows you to do some regex-acl against ANY request header. Personnally this very much matches my gusto. I saw some behaviour I'm not sure about though:

The handler would check the request header attribute for being null. If it is, it would disallow. I'm wondering if it's not also possible that a non-existing user-agent is considered valid. 
                  
> Implement a User Agent and Remote Address Filter for the HTTP Management Interface
> ----------------------------------------------------------------------------------
>
>                 Key: WFLY-705
>                 URL: https://issues.jboss.org/browse/WFLY-705
>             Project: WildFly
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: Domain Management, Security
>            Reporter: Darran Lofthouse
>            Assignee: Andre Dietisheim
>             Fix For: Awaiting Volunteers
>
>
> The HTTP Management interface provides access to manage the domain model, this interface is partly dependent on the protection supplied by an end users web browser.
> This feature request is to optionally filter inbound requests based on a configurable list of supported user agents and or remote addresses - this will mean buggy browser versions can be excluded and remote clients restricted.
> Anyone interested in contributing please feel free to ping darranl in #jboss-as7.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list