[jbpm-commits] JBoss JBPM SVN: r5022 - in projects/jsf-console/branches/jsf-console-3.2-soa: soa/src/main/webapp/WEB-INF and 1 other directory.

do-not-reply at jboss.org do-not-reply at jboss.org
Wed Jun 10 08:09:38 EDT 2009 

Author: alex.guizar at jboss.com
Date: 2009-06-10 08:09:38 -0400 (Wed, 10 Jun 2009)
New Revision: 5022

Modified:
   projects/jsf-console/branches/jsf-console-3.2-soa/console/src/main/webapp/WEB-INF/web.xml
   projects/jsf-console/branches/jsf-console-3.2-soa/soa/src/main/webapp/WEB-INF/web.xml
Log:
JBPM-1958: Security issue allows arbitrary java code to be deployed and executed (REOPENED)
Reenable upload servlet in SOA overlay and move it back to the secure area

Modified: projects/jsf-console/branches/jsf-console-3.2-soa/console/src/main/webapp/WEB-INF/web.xml
===================================================================
--- projects/jsf-console/branches/jsf-console-3.2-soa/console/src/main/webapp/WEB-INF/web.xml	2009-06-10 09:53:23 UTC (rev 5021)
+++ projects/jsf-console/branches/jsf-console-3.2-soa/console/src/main/webapp/WEB-INF/web.xml	2009-06-10 12:09:38 UTC (rev 5022)
@@ -83,7 +83,7 @@
     </auth-constraint>
   </security-constraint>
 
-  <!-- Example Login page - lists user names -->
+  <!-- Example Login page - lists sample users -->
   <login-config>
     <auth-method>FORM</auth-method>
     <form-login-config>
@@ -121,10 +121,9 @@
   <!-- Bootstrap listener ==>
   <listener>
     <description>
-      Force initialization of the hibernate session factory.
-      This will create the DB tables on new installations,
-      provided that the hibernate.hbm2ddl.auto property
-      is set to "create".
+      Builds the Hibernate session factory on initialization.
+      This will create the database tables in new installations,
+      provided the hibernate.hbm2ddl.auto property is set.
     </description>
     <listener-class>org.jbpm.web.BootstrapListener</listener-class>
   </listener>
@@ -132,7 +131,7 @@
 
   <listener>
     <description>
-      Closes the jBPM configuration on destruction, releasing application resources.
+      Closes the jBPM configuration on destruction, releasing resources.
       This listener should appear after the job executor launcher,
       to avoid reopening the configuration.
     </description>

Modified: projects/jsf-console/branches/jsf-console-3.2-soa/soa/src/main/webapp/WEB-INF/web.xml
===================================================================
--- projects/jsf-console/branches/jsf-console-3.2-soa/soa/src/main/webapp/WEB-INF/web.xml	2009-06-10 09:53:23 UTC (rev 5021)
+++ projects/jsf-console/branches/jsf-console-3.2-soa/soa/src/main/webapp/WEB-INF/web.xml	2009-06-10 12:09:38 UTC (rev 5022)
@@ -40,12 +40,15 @@
     <welcome-file>index.jsp</welcome-file>
   </welcome-file-list>
 
-  <!-- GPD Deployer Servlet ==>
   <servlet>
     <description>
       Server counterpart for the Graphical Process Designer deployment feature.
-      SECURITY WARNING. GPD deployment is a development aid, not for use in production.
-      Make sure you either secure or remove this servlet prior to production deployment. 
+      GPD WARNING. The SOA distribution of jBPM is tuned for production deployment
+      and maps this servlet to a URL pattern in the secured area. In consequence,
+      the upload servlet is no longer able to accept GPD deployment requests,
+      as GPD does not support authentication.
+      To reenable GPD deployment, map the servlet to the path expected by the GPD,
+      namely "/upload/*". 
     </description>
     <servlet-name>GPD Deployer Servlet</servlet-name>
     <servlet-class>org.jbpm.web.ProcessUploadServlet</servlet-class>
@@ -54,9 +57,8 @@
 
   <servlet-mapping>
     <servlet-name>GPD Deployer Servlet</servlet-name>
-    <url-pattern>/upload/*</url-pattern>
+    <url-pattern>/app/upload/*</url-pattern>
   </servlet-mapping>
-  <!== GPD Deployer Servlet -->
 
   <!--
     This role list should be changed to include all the relevant roles for your environment.
@@ -122,17 +124,16 @@
 
   <listener>
     <description>
-      Force initialization of the hibernate session factory.
-      This will create the DB tables on new installations,
-      provided that the hibernate.hbm2ddl.auto property
-      is set to "create".
+      Builds the Hibernate session factory on initialization.
+      This will create the database tables in new installations,
+      provided the hibernate.hbm2ddl.auto property is set.
     </description>
     <listener-class>org.jbpm.web.BootstrapListener</listener-class>
   </listener>
 
   <listener>
     <description>
-      Closes the jBPM configuration on destruction, releasing application resources.
+      Closes the jBPM configuration on destruction, releasing resources.
       This listener should appear after the job executor launcher,
       to avoid reopening the configuration.
     </description>

More information about the jbpm-commits mailing list