Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Remote Application Platform (RAP) » Predefined RAP GET Parameters
Predefined RAP GET Parameters [message #548280] Wed, 21 July 2010 11:04 Go to next message
Benjamin Wolff is currently offline Benjamin WolffFriend
Messages: 136
Registered: July 2009
Senior Member
Hello,

i was wondering, if there is an overview (or something like that) for the predefined GET Parameters in the URL of a RAP application that are digesten by the RAP framework.
The reason for me asking is, if i have to consider any security issues with these parameters when putting an application on the web, for example. I tried to identify the parameters by reading the RAP extension point descriptions. I don't know, if this covers all parameters. So far, i only found 2 parameters that a RAP application consumes, maybe you can help me to complement those and/or correct my security assumptions about these ;). I should mention, that i deactivate the Equinox Servletbridge framework controls by disabling "enableFrameworkControls" in the web.xml when the application is deployed, so the "sp_" commands won't work, which would be suicide in productive use anyway ;)

Parameters:

startup - Selects an entrypoint, imho no security issues as far as noone tries to use "secret entrypoints" as an access-control of somekind ;)
custom_service_handler - Adresses a custom service handler, again no concern i think. The implementation of the service handler has to provide access-controls.

Especially i would like to clarify, that there is no way of providing any other information, like e.g. a perspectiveID, that i might oversee. But i'm quite sure this is not possible, just want to have your blessing about that :).

Thanks!

Greetings,
-Ben
Re: Predefined RAP GET Parameters [message #548530 is a reply to message #548280] Thu, 22 July 2010 09:40 Go to previous messageGo to next message
Ralf Sternberg is currently offline Ralf SternbergFriend
Messages: 1313
Registered: July 2009
Senior Member

Hi Benjamin,

there is no such overview. Beside the startup parameter, there is still
an undocumented "theme" parameter which lets you choose a certain theme,
see bug http://bugs.eclipse.org/320605

Of course, the enableFrameworkControls parameter is disabled by default
in our web.xml template, so there's no danger.

Regarding your concerns, we had the idea of some kind of a "production
mode", in which parameters (even startup) are disabled and applications
can only be started by a branding. If you think that would be useful,
feel free to open a bug.

Best regards, Ralf


Benjamin Wolff wrote:
> Hello,
>
> i was wondering, if there is an overview (or something like that) for
> the predefined GET Parameters in the URL of a RAP application that are
> digesten by the RAP framework.
> The reason for me asking is, if i have to consider any security issues
> with these parameters when putting an application on the web, for
> example. I tried to identify the parameters by reading the RAP extension
> point descriptions. I don't know, if this covers all parameters. So far,
> i only found 2 parameters that a RAP application consumes, maybe you can
> help me to complement those and/or correct my security assumptions about
> these ;). I should mention, that i deactivate the Equinox Servletbridge
> framework controls by disabling "enableFrameworkControls" in the
> web.xml when the application is deployed, so the "sp_" commands won't
> work, which would be suicide in productive use anyway ;)
>
> Parameters:
>
> startup - Selects an entrypoint, imho no security issues as far as noone
> tries to use "secret entrypoints" as an access-control of somekind ;)
> custom_service_handler - Adresses a custom service handler, again no
> concern i think. The implementation of the service handler has to
> provide access-controls.
>
> Especially i would like to clarify, that there is no way of providing
> any other information, like e.g. a perspectiveID, that i might oversee.
> But i'm quite sure this is not possible, just want to have your blessing
> about that :).
>
> Thanks!
>
> Greetings,
> -Ben
>
>
Re: Predefined RAP GET Parameters [message #548578 is a reply to message #548530] Thu, 22 July 2010 11:28 Go to previous message
Benjamin Wolff is currently offline Benjamin WolffFriend
Messages: 136
Registered: July 2009
Senior Member
Good idea!

https://bugs.eclipse.org/bugs/show_bug.cgi?id=320615

Greetings,
-Ben


Am 22.07.2010 11:40, schrieb Ralf Sternberg:
> Hi Benjamin,
>
> there is no such overview. Beside the startup parameter, there is still
> an undocumented "theme" parameter which lets you choose a certain theme,
> see bug http://bugs.eclipse.org/320605
>
> Of course, the enableFrameworkControls parameter is disabled by default
> in our web.xml template, so there's no danger.
>
> Regarding your concerns, we had the idea of some kind of a "production
> mode", in which parameters (even startup) are disabled and applications
> can only be started by a branding. If you think that would be useful,
> feel free to open a bug.
>
> Best regards, Ralf
>
>
> Benjamin Wolff wrote:
>> Hello,
>>
>> i was wondering, if there is an overview (or something like that) for
>> the predefined GET Parameters in the URL of a RAP application that are
>> digesten by the RAP framework.
>> The reason for me asking is, if i have to consider any security issues
>> with these parameters when putting an application on the web, for
>> example. I tried to identify the parameters by reading the RAP extension
>> point descriptions. I don't know, if this covers all parameters. So far,
>> i only found 2 parameters that a RAP application consumes, maybe you can
>> help me to complement those and/or correct my security assumptions about
>> these ;). I should mention, that i deactivate the Equinox Servletbridge
>> framework controls by disabling "enableFrameworkControls" in the
>> web.xml when the application is deployed, so the "sp_" commands won't
>> work, which would be suicide in productive use anyway ;)
>>
>> Parameters:
>>
>> startup - Selects an entrypoint, imho no security issues as far as noone
>> tries to use "secret entrypoints" as an access-control of somekind ;)
>> custom_service_handler - Adresses a custom service handler, again no
>> concern i think. The implementation of the service handler has to
>> provide access-controls.
>>
>> Especially i would like to clarify, that there is no way of providing
>> any other information, like e.g. a perspectiveID, that i might oversee.
>> But i'm quite sure this is not possible, just want to have your blessing
>> about that :).
>>
>> Thanks!
>>
>> Greetings,
>> -Ben
>>
>>
Previous Topic:[ANN] New tree implementation in CVS
Next Topic:error after product export
Goto Forum:
  


Current Time: Thu Feb 22 22:17:01 GMT 2024

Powered by FUDForum. Page generated in 0.02577 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top