Project

General

Profile

Actions

Bug #6718

closed

Feature #6711: refactoring of lavoisier security

support authentication for operation "/notify"

Added by Reynaud Sylvain over 10 years ago. Updated about 10 years ago.

Status:
Rejected
Priority:
Normal
Assigned To:
Category:
Service
Target version:
Start date:
03/31/2014
Due date:
% Done:

100%

Estimated time:

Description

Create a <authenticators> section in a separate configuration file "./security/lavoisier-notify.xml"

Actions #1

Updated by Reynaud Sylvain over 10 years ago

  • Target version changed from 2.1 to later
Actions #2

Updated by Reynaud Sylvain about 10 years ago

  • Tracker changed from Task to Bug
  • Description updated (diff)
Actions #3

Updated by Reynaud Sylvain about 10 years ago

  • Description updated (diff)
Actions #4

Updated by Reynaud Sylvain about 10 years ago

  • Description updated (diff)
Actions #5

Updated by Reynaud Sylvain about 10 years ago

  • Status changed from New to Rejected
  • % Done changed from 0 to 100
This issue is rejected because:
  • the operation "notify" does not expose any data.
  • the new attribute @ignore-during already solves the only security risk: the deny of service
  • the solutions to solve this issue are:
    • either too costly : support authentication for operation "/notify".
    • or too ugly : create a NotifyConnector that depends on the lavoisier-engine module.
      <view name="notify" authenticators="notifier">
          <argument name="view"/>
          <connector type="NotifyConnector">
              <parameter name="view" eval="$view"/>
          </connector>
      </view>
      
Actions

Also available in: Atom PDF