[teiid-issues] [JBoss JIRA] (TEIID-4090) Issue with entitysets/properties ending in auth or token

Steven Hawkins (JIRA) issues at jboss.org
Thu Jun 9 15:32:00 EDT 2016


    [ https://issues.jboss.org/browse/TEIID-4090?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13250544#comment-13250544 ] 

Steven Hawkins commented on TEIID-4090:
---------------------------------------

> I can not seem to remember the reason I added the "static" content servlet?

I can't find anything related to the commit comment - https://issues.jboss.org/issues/?jql=issuekey%20in%20(TEIID-4090%2C%20%20TEIID-3962%2C%20TEIID-4060%2C%20TEIID-4059%2C%20TEIID-4039%2C%20TEIID-4055%2C%20TEIID-3782)

It seems like it needs to be more secure - allowing any resource to be read from the classpath is a security issue.  Did you add it for debugging or perhaps for other security work?

> Issue with entitysets/properties ending in auth or token
> --------------------------------------------------------
>
>                 Key: TEIID-4090
>                 URL: https://issues.jboss.org/browse/TEIID-4090
>             Project: Teiid
>          Issue Type: Bug
>          Components: OData
>    Affects Versions: 8.12
>            Reporter: Steven Hawkins
>            Assignee: Ramesh Reddy
>             Fix For: 9.0, 8.12.5
>
>
> To handle oauth, we are check for uri.endsWith("auth") || uri.endsWith("token") - however valid uris can end with those characters as well.  An ioexception will be thrown instead of seeing the expected results - we also need to not simply throw an ioexception in ODataServlet as there is no server log of the exception and the client sees a 500 error.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)


More information about the teiid-issues mailing list