-
Type:
Improvement
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 5.1 EE SP5 (5.1.8), 5.2 EE SP3 (5.2.7)
-
Fix Version/s: 5.1 EE SP6 (5.1.9), 5.2 EE SP4 (5.2.8)
-
Component/s: Application Security
-
Labels:None
-
Environment:All
Suppose there are multiple portlets in one portlet WAR. For example, the first portlet could contain a set of JSPs in /basic/ and a second portlet contains a set of JSPs in /admin/.
Currently, it is up to the portlet developer to ensure that a user who has access to the basic portlet does not change the "jspPage" parameter to point to a JSP page in the /admin/ path. To prevent that from happening, a lot of manual coding is required and defeats the purpose of using the MVC Portlet.
This update adds the ability to limit a portlet to a particular path by setting a "jsp-path" init parameter in portlet.xml. For example, setting the basic portlet's jsp-path to "/basic/", will ensure that the basic portlet cannot call any other JSP except what is in the /basic/ path. It also detects ".." and other hacks to prevent a malicious user from circumventing this.
- is related to
-
LPS-9010 MVCPortlet needs configuration to ensure only certain paths are allowed per portlet
- Closed