[jbpm-commits] JBoss JBPM SVN: r5022 - in projects/jsf-console/branches/jsf-console-3.2-soa: soa/src/main/webapp/WEB-INF and 1 other directory.
do-not-reply at jboss.org
do-not-reply at jboss.org
Wed Jun 10 08:09:38 EDT 2009
Author: alex.guizar at jboss.com
Date: 2009-06-10 08:09:38 -0400 (Wed, 10 Jun 2009)
New Revision: 5022
Modified:
projects/jsf-console/branches/jsf-console-3.2-soa/console/src/main/webapp/WEB-INF/web.xml
projects/jsf-console/branches/jsf-console-3.2-soa/soa/src/main/webapp/WEB-INF/web.xml
Log:
JBPM-1958: Security issue allows arbitrary java code to be deployed and executed (REOPENED)
Reenable upload servlet in SOA overlay and move it back to the secure area
Modified: projects/jsf-console/branches/jsf-console-3.2-soa/console/src/main/webapp/WEB-INF/web.xml
===================================================================
--- projects/jsf-console/branches/jsf-console-3.2-soa/console/src/main/webapp/WEB-INF/web.xml 2009-06-10 09:53:23 UTC (rev 5021)
+++ projects/jsf-console/branches/jsf-console-3.2-soa/console/src/main/webapp/WEB-INF/web.xml 2009-06-10 12:09:38 UTC (rev 5022)
@@ -83,7 +83,7 @@
</auth-constraint>
</security-constraint>
- <!-- Example Login page - lists user names -->
+ <!-- Example Login page - lists sample users -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
@@ -121,10 +121,9 @@
<!-- Bootstrap listener ==>
<listener>
<description>
- Force initialization of the hibernate session factory.
- This will create the DB tables on new installations,
- provided that the hibernate.hbm2ddl.auto property
- is set to "create".
+ Builds the Hibernate session factory on initialization.
+ This will create the database tables in new installations,
+ provided the hibernate.hbm2ddl.auto property is set.
</description>
<listener-class>org.jbpm.web.BootstrapListener</listener-class>
</listener>
@@ -132,7 +131,7 @@
<listener>
<description>
- Closes the jBPM configuration on destruction, releasing application resources.
+ Closes the jBPM configuration on destruction, releasing resources.
This listener should appear after the job executor launcher,
to avoid reopening the configuration.
</description>
Modified: projects/jsf-console/branches/jsf-console-3.2-soa/soa/src/main/webapp/WEB-INF/web.xml
===================================================================
--- projects/jsf-console/branches/jsf-console-3.2-soa/soa/src/main/webapp/WEB-INF/web.xml 2009-06-10 09:53:23 UTC (rev 5021)
+++ projects/jsf-console/branches/jsf-console-3.2-soa/soa/src/main/webapp/WEB-INF/web.xml 2009-06-10 12:09:38 UTC (rev 5022)
@@ -40,12 +40,15 @@
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
- <!-- GPD Deployer Servlet ==>
<servlet>
<description>
Server counterpart for the Graphical Process Designer deployment feature.
- SECURITY WARNING. GPD deployment is a development aid, not for use in production.
- Make sure you either secure or remove this servlet prior to production deployment.
+ GPD WARNING. The SOA distribution of jBPM is tuned for production deployment
+ and maps this servlet to a URL pattern in the secured area. In consequence,
+ the upload servlet is no longer able to accept GPD deployment requests,
+ as GPD does not support authentication.
+ To reenable GPD deployment, map the servlet to the path expected by the GPD,
+ namely "/upload/*".
</description>
<servlet-name>GPD Deployer Servlet</servlet-name>
<servlet-class>org.jbpm.web.ProcessUploadServlet</servlet-class>
@@ -54,9 +57,8 @@
<servlet-mapping>
<servlet-name>GPD Deployer Servlet</servlet-name>
- <url-pattern>/upload/*</url-pattern>
+ <url-pattern>/app/upload/*</url-pattern>
</servlet-mapping>
- <!== GPD Deployer Servlet -->
<!--
This role list should be changed to include all the relevant roles for your environment.
@@ -122,17 +124,16 @@
<listener>
<description>
- Force initialization of the hibernate session factory.
- This will create the DB tables on new installations,
- provided that the hibernate.hbm2ddl.auto property
- is set to "create".
+ Builds the Hibernate session factory on initialization.
+ This will create the database tables in new installations,
+ provided the hibernate.hbm2ddl.auto property is set.
</description>
<listener-class>org.jbpm.web.BootstrapListener</listener-class>
</listener>
<listener>
<description>
- Closes the jBPM configuration on destruction, releasing application resources.
+ Closes the jBPM configuration on destruction, releasing resources.
This listener should appear after the job executor launcher,
to avoid reopening the configuration.
</description>
More information about the jbpm-commits
mailing list