Home » Eclipse Projects » Remote Application Platform (RAP) » Predefined RAP GET Parameters
| Predefined RAP GET Parameters [message #548280] |
Wed, 21 July 2010 11:04  |
 Benjamin Wolff
Messages: 137
Registered: July 2009 |
Senior Member |
|
|
Hello,
i was wondering, if there is an overview (or something like that) for the predefined GET Parameters in the URL of a RAP application that are digesten by the RAP framework.
The reason for me asking is, if i have to consider any security issues with these parameters when putting an application on the web, for example. I tried to identify the parameters by reading the RAP extension point descriptions. I don't know, if this covers all parameters. So far, i only found 2 parameters that a RAP application consumes, maybe you can help me to complement those and/or correct my security assumptions about these ;). I should mention, that i deactivate the Equinox Servletbridge framework controls by disabling "enableFrameworkControls" in the web.xml when the application is deployed, so the "sp_" commands won't work, which would be suicide in productive use anyway ;)
Parameters:
startup - Selects an entrypoint, imho no security issues as far as noone tries to use "secret entrypoints" as an access-control of somekind ;)
custom_service_handler - Adresses a custom service handler, again no concern i think. The implementation of the service handler has to provide access-controls.
Especially i would like to clarify, that there is no way of providing any other information, like e.g. a perspectiveID, that i might oversee. But i'm quite sure this is not possible, just want to have your blessing about that :).
Thanks!
Greetings,
-Ben
|
|
|
| Re: Predefined RAP GET Parameters [message #548530 is a reply to message #548280] |
Thu, 22 July 2010 09:40  |
|
Hi Benjamin,
there is no such overview. Beside the startup parameter, there is still
an undocumented "theme" parameter which lets you choose a certain theme,
see bug http://bugs.eclipse.org/320605
Of course, the enableFrameworkControls parameter is disabled by default
in our web.xml template, so there's no danger.
Regarding your concerns, we had the idea of some kind of a "production
mode", in which parameters (even startup) are disabled and applications
can only be started by a branding. If you think that would be useful,
feel free to open a bug.
Best regards, Ralf
Benjamin Wolff wrote:
> Hello,
>
> i was wondering, if there is an overview (or something like that) for
> the predefined GET Parameters in the URL of a RAP application that are
> digesten by the RAP framework.
> The reason for me asking is, if i have to consider any security issues
> with these parameters when putting an application on the web, for
> example. I tried to identify the parameters by reading the RAP extension
> point descriptions. I don't know, if this covers all parameters. So far,
> i only found 2 parameters that a RAP application consumes, maybe you can
> help me to complement those and/or correct my security assumptions about
> these ;). I should mention, that i deactivate the Equinox Servletbridge
> framework controls by disabling "enableFrameworkControls" in the
> web.xml when the application is deployed, so the "sp_" commands won't
> work, which would be suicide in productive use anyway ;)
>
> Parameters:
>
> startup - Selects an entrypoint, imho no security issues as far as noone
> tries to use "secret entrypoints" as an access-control of somekind ;)
> custom_service_handler - Adresses a custom service handler, again no
> concern i think. The implementation of the service handler has to
> provide access-controls.
>
> Especially i would like to clarify, that there is no way of providing
> any other information, like e.g. a perspectiveID, that i might oversee.
> But i'm quite sure this is not possible, just want to have your blessing
> about that :).
>
> Thanks!
>
> Greetings,
> -Ben
>
>
|
|
|
| Re: Predefined RAP GET Parameters [message #548578 is a reply to message #548530] |
Thu, 22 July 2010 11:28 |
Benjamin Wolff
Messages: 137
Registered: July 2009 |
Senior Member |
|
|
Good idea!
https://bugs.eclipse.org/bugs/show_bug.cgi?id=320615
Greetings,
-Ben
Am 22.07.2010 11:40, schrieb Ralf Sternberg:
> Hi Benjamin,
>
> there is no such overview. Beside the startup parameter, there is still
> an undocumented "theme" parameter which lets you choose a certain theme,
> see bug http://bugs.eclipse.org/320605
>
> Of course, the enableFrameworkControls parameter is disabled by default
> in our web.xml template, so there's no danger.
>
> Regarding your concerns, we had the idea of some kind of a "production
> mode", in which parameters (even startup) are disabled and applications
> can only be started by a branding. If you think that would be useful,
> feel free to open a bug.
>
> Best regards, Ralf
>
>
> Benjamin Wolff wrote:
>> Hello,
>>
>> i was wondering, if there is an overview (or something like that) for
>> the predefined GET Parameters in the URL of a RAP application that are
>> digesten by the RAP framework.
>> The reason for me asking is, if i have to consider any security issues
>> with these parameters when putting an application on the web, for
>> example. I tried to identify the parameters by reading the RAP extension
>> point descriptions. I don't know, if this covers all parameters. So far,
>> i only found 2 parameters that a RAP application consumes, maybe you can
>> help me to complement those and/or correct my security assumptions about
>> these ;). I should mention, that i deactivate the Equinox Servletbridge
>> framework controls by disabling "enableFrameworkControls" in the
>> web.xml when the application is deployed, so the "sp_" commands won't
>> work, which would be suicide in productive use anyway ;)
>>
>> Parameters:
>>
>> startup - Selects an entrypoint, imho no security issues as far as noone
>> tries to use "secret entrypoints" as an access-control of somekind ;)
>> custom_service_handler - Adresses a custom service handler, again no
>> concern i think. The implementation of the service handler has to
>> provide access-controls.
>>
>> Especially i would like to clarify, that there is no way of providing
>> any other information, like e.g. a perspectiveID, that i might oversee.
>> But i'm quite sure this is not possible, just want to have your blessing
>> about that :).
>>
>> Thanks!
>>
>> Greetings,
>> -Ben
>>
>>
|
|
|
Goto Forum:
Current Time: Sat Nov 09 03:05:35 GMT 2024
Powered by FUDForum. Page generated in 0.02511 seconds |
] 
Search
Help
Register
Login
Home
