History | Log In     View a printable version of the current page.  
   HOME       BROWSE PROJECT       FIND ISSUES   
    QUICK SEARCH:  
Issue Details (XML | Word | Printable)

Key: GEOS-1785
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Blocker Blocker
Assignee: Andrea Aime
Reporter: Andrea Aime
Votes: 0
Watchers: 2
Operations

If you were logged in you would be able to see more operations.
GeoServer

Data dir included in the .war distribution is wide open for the world to see...

Created: 04/Mar/08 02:16 AM   Updated: 07/Mar/08 10:08 AM
Component/s: Global
Affects Version/s: 1.6.0, 1.6.1
Fix Version/s: 1.6.2

Time Tracking:
Not Specified


 Description  « Hide
Basically everyone can see the contents of the data dir besides the services and catalog files that are explicitly hidden.
I'd say we reverse the situation, can we put the data dir into WEB-INF so that it's not visible at all unless we explicitly publish something with the file publisher?
Alternatively, it can stay there, we register the file hider to catch and hide everything into that dir. The file publisher is using paths other than data anyways, no?
(e.g. http://host:port/geoserver/www or http://host:port/geoserver/styles).

 All   Comments   Work Log   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Andrea Aime - 04/Mar/08 03:30 AM
Tested the "move into WEB-INF" approach. Requires a minor modification to GeoserverDataDirectory and to the config maven plugin, and seems to work fine. The data dir behaves just like and external one as far as I can see. Simple and to the point, also avoids the need of the FileHider servlet hack (it's the way we used in 1.5.x. to hide services.xml and catalog.xml).
Shall I commit on 1.6.x, people do test it, and then we decide what to do about an eventual re-release? Or we roll out an emergency 1.6.2 by copying what's in the 1.6.1 tag?

[ Permlink | « Hide ]
Chris Holmes - 04/Mar/08 07:22 AM
I suppose we should cut a quick 1.6.2 release, with just the one fix. It's fine if it's just what's in 1.6.1 plus this fix.

[ Permlink | « Hide ]
Andrea Aime - 04/Mar/08 07:34 AM
Yeah, 1.6.x already has watermarking in, and I think most of the developer still haven't had a look at it. I would feel better doing an svn copy of 1.6.1 tag into 1.6.2, patch there, and re-release

[ Permlink | « Hide ]
Rob Atkinson - 04/Mar/08 04:43 PM
it would be nice if on deployment Geoserver looked to see if a data dir was installed, and if not provided an option to choose it at the admin screen.

other requests would throw a meaningful error message of course


[ Permlink | « Hide ]
Andrea Aime - 05/Mar/08 01:42 AM
That would require a major change in how GeoServer is started up unfortunately, we'd have to make the Data class an indirection to the actual data class. At the moment Data loads the data dir content during the spring context startup, this basically mean, either the data dir is there where it's supposed to be, or GeoServer won't wire up properly and die.
I agree it would be advisable to do what you say, we have to consider it when we rewrite the config and ui subsystem.

[ Permlink | « Hide ]
Andrea Aime - 05/Mar/08 05:05 AM
Tested a different approach which requires less modifications: we just stick the file hider servlet on the /data/* path and that effectively hides whatever is in the data dir. The file publisher then exposes just what we want.
This approach is better, Jody made me remember that we moved the data dir out of WEB-INF because otherwise under certain web containers it would have been unreachable (was that jboss? can't remember).

[ Permlink | « Hide ]
Justin Deoliveira - 05/Mar/08 05:41 AM
Integrated in geoserver-trunk #375 (See http://gridlock.openplans.org:8080/hudson/job/geoserver-trunk/375/)


Powered by a free Atlassian JIRA open source license for Codehaus. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.12.2-#300) - Bug/feature request - Atlassian news - Contact Administrators