[xwiki-devs] [Proposal] Add notion of "Restricted" Configuration Source to XWiki Commons
Hi devs, We have the need of a Configuration Source component hint for implementation that only looks in non-modifiable sources (e.g. xwiki.properties). More specifically there's a security issue in some cases in allowing to use the current "default" configuration source which looks in space preferences, wiki preferences and the only in xwiki.properties. For example the Environment's permanent directory should not be modifiable from wiki pages (see http://jira.xwiki.org/browse/XCOMMONS-182). So here's the proposal: * Introduce a new RestrictedConfigurationSourceProvider implementation (in configuration-api) that does the same as the current ConfigurationSourceProvider but when looking up the CS, it looks for a CS with hint "restricted" * Deprecate the current XWikiPropertiesConfigurationSource (hint = "default") * Add a new XWikiPropertiesConfigurationSource with hint = "restricted" * Modify DefaultEnvironmentConfiguration to use: @Inject @Named("restricted") private Provider<ConfigurationSource> configurationSourceProvider; WDYT? Thanks -Vincent
On Wed, May 30, 2012 at 2:26 PM, Vincent Massol <[email protected]> wrote:
Hi devs,
We have the need of a Configuration Source component hint for implementation that only looks in non-modifiable sources (e.g. xwiki.properties).
More specifically there's a security issue in some cases in allowing to use the current "default" configuration source which looks in space preferences, wiki preferences and the only in xwiki.properties.
For example the Environment's permanent directory should not be modifiable from wiki pages (see http://jira.xwiki.org/browse/XCOMMONS-182).
So here's the proposal:
* Introduce a new RestrictedConfigurationSourceProvider implementation (in configuration-api) that does the same as the current ConfigurationSourceProvider but when looking up the CS, it looks for a CS with hint "restricted" * Deprecate the current XWikiPropertiesConfigurationSource (hint = "default")
It's hint="xwikiproperties" actually.
* Add a new XWikiPropertiesConfigurationSource with hint = "restricted" * Modify DefaultEnvironmentConfiguration to use:
@Inject @Named("restricted") private Provider<ConfigurationSource> configurationSourceProvider;
WDYT?
+1
Thanks -Vincent
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
-- Thomas Mortagne
On May 30, 2012, at 2:26 PM, Vincent Massol wrote:
Hi devs,
We have the need of a Configuration Source component hint for implementation that only looks in non-modifiable sources (e.g. xwiki.properties).
More specifically there's a security issue in some cases in allowing to use the current "default" configuration source which looks in space preferences, wiki preferences and the only in xwiki.properties.
For example the Environment's permanent directory should not be modifiable from wiki pages (see http://jira.xwiki.org/browse/XCOMMONS-182).
So here's the proposal:
* Introduce a new RestrictedConfigurationSourceProvider implementation (in configuration-api) that does the same as the current ConfigurationSourceProvider but when looking up the CS, it looks for a CS with hint "restricted" * Deprecate the current XWikiPropertiesConfigurationSource (hint = "default") * Add a new XWikiPropertiesConfigurationSource with hint = "restricted"
Made a mistake here. Instead: * Introduce a new RestrictedConfigurationSourceProvider implementation (in configuration-api) that does the same as the current ConfigurationSourceProvider but when looking up the CS, it looks for a CS with hint "restricted" * Add a new RestrictedConfigurationSource impl that uses only XWikiPropertiesConfigurationSource FTM No need to deprecate anything. Thanks -Vincent
* Modify DefaultEnvironmentConfiguration to use:
@Inject @Named("restricted") private Provider<ConfigurationSource> configurationSourceProvider;
WDYT?
Thanks -Vincent
On Wed, May 30, 2012 at 4:35 PM, Vincent Massol <[email protected]> wrote:
On May 30, 2012, at 2:26 PM, Vincent Massol wrote:
Hi devs,
We have the need of a Configuration Source component hint for implementation that only looks in non-modifiable sources (e.g. xwiki.properties).
More specifically there's a security issue in some cases in allowing to use the current "default" configuration source which looks in space preferences, wiki preferences and the only in xwiki.properties.
For example the Environment's permanent directory should not be modifiable from wiki pages (see http://jira.xwiki.org/browse/XCOMMONS-182).
So here's the proposal:
* Introduce a new RestrictedConfigurationSourceProvider implementation (in configuration-api) that does the same as the current ConfigurationSourceProvider but when looking up the CS, it looks for a CS with hint "restricted" * Deprecate the current XWikiPropertiesConfigurationSource (hint = "default") * Add a new XWikiPropertiesConfigurationSource with hint = "restricted"
Made a mistake here. Instead:
* Introduce a new RestrictedConfigurationSourceProvider implementation (in configuration-api) that does the same as the current ConfigurationSourceProvider but when looking up the CS, it looks for a CS with hint "restricted"
* Add a new RestrictedConfigurationSource impl that uses only XWikiPropertiesConfigurationSource FTM
Will you put RestrictedConfigurationSource in xwiki-commons-configuration-api or in xwiki-platform? It needs to know about "xwikiproperties" hint, which is specific to xwiki-platform. Thanks, Marius
No need to deprecate anything.
Thanks -Vincent
* Modify DefaultEnvironmentConfiguration to use:
@Inject @Named("restricted") private Provider<ConfigurationSource> configurationSourceProvider;
WDYT?
Thanks -Vincent
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
On May 30, 2012, at 4:13 PM, Marius Dumitru Florea wrote:
On Wed, May 30, 2012 at 4:35 PM, Vincent Massol <[email protected]> wrote:
On May 30, 2012, at 2:26 PM, Vincent Massol wrote:
Hi devs,
We have the need of a Configuration Source component hint for implementation that only looks in non-modifiable sources (e.g. xwiki.properties).
More specifically there's a security issue in some cases in allowing to use the current "default" configuration source which looks in space preferences, wiki preferences and the only in xwiki.properties.
For example the Environment's permanent directory should not be modifiable from wiki pages (see http://jira.xwiki.org/browse/XCOMMONS-182).
So here's the proposal:
* Introduce a new RestrictedConfigurationSourceProvider implementation (in configuration-api) that does the same as the current ConfigurationSourceProvider but when looking up the CS, it looks for a CS with hint "restricted" * Deprecate the current XWikiPropertiesConfigurationSource (hint = "default") * Add a new XWikiPropertiesConfigurationSource with hint = "restricted"
Made a mistake here. Instead:
* Introduce a new RestrictedConfigurationSourceProvider implementation (in configuration-api) that does the same as the current ConfigurationSourceProvider but when looking up the CS, it looks for a CS with hint "restricted"
* Add a new RestrictedConfigurationSource impl that uses only XWikiPropertiesConfigurationSource FTM
Will you put RestrictedConfigurationSource in xwiki-commons-configuration-api or in xwiki-platform? It needs to know about "xwikiproperties" hint, which is specific to xwiki-platform.
It's in platform-configuration-default, next to DefaultconfigurationSource. thanks -Vincent
Thanks, Marius
No need to deprecate anything.
Thanks -Vincent
* Modify DefaultEnvironmentConfiguration to use:
@Inject @Named("restricted") private Provider<ConfigurationSource> configurationSourceProvider;
WDYT?
Thanks -Vincent
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
On Wed, May 30, 2012 at 5:18 PM, Vincent Massol <[email protected]> wrote:
On May 30, 2012, at 4:13 PM, Marius Dumitru Florea wrote:
On Wed, May 30, 2012 at 4:35 PM, Vincent Massol <[email protected]> wrote:
On May 30, 2012, at 2:26 PM, Vincent Massol wrote:
Hi devs,
We have the need of a Configuration Source component hint for implementation that only looks in non-modifiable sources (e.g. xwiki.properties).
More specifically there's a security issue in some cases in allowing to use the current "default" configuration source which looks in space preferences, wiki preferences and the only in xwiki.properties.
For example the Environment's permanent directory should not be modifiable from wiki pages (see http://jira.xwiki.org/browse/XCOMMONS-182).
So here's the proposal:
* Introduce a new RestrictedConfigurationSourceProvider implementation (in configuration-api) that does the same as the current ConfigurationSourceProvider but when looking up the CS, it looks for a CS with hint "restricted" * Deprecate the current XWikiPropertiesConfigurationSource (hint = "default") * Add a new XWikiPropertiesConfigurationSource with hint = "restricted"
Made a mistake here. Instead:
* Introduce a new RestrictedConfigurationSourceProvider implementation (in configuration-api) that does the same as the current ConfigurationSourceProvider but when looking up the CS, it looks for a CS with hint "restricted"
* Add a new RestrictedConfigurationSource impl that uses only XWikiPropertiesConfigurationSource FTM
Will you put RestrictedConfigurationSource in xwiki-commons-configuration-api or in xwiki-platform? It needs to know about "xwikiproperties" hint, which is specific to xwiki-platform.
It's in platform-configuration-default, next to DefaultconfigurationSource.
+1 then. Thanks, Marius
thanks -Vincent
Thanks, Marius
No need to deprecate anything.
Thanks -Vincent
* Modify DefaultEnvironmentConfiguration to use:
@Inject @Named("restricted") private Provider<ConfigurationSource> configurationSourceProvider;
WDYT?
Thanks -Vincent
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
On 05/30/2012 10:18 AM, Vincent Massol wrote:
On May 30, 2012, at 4:13 PM, Marius Dumitru Florea wrote:
On Wed, May 30, 2012 at 4:35 PM, Vincent Massol<[email protected]> wrote:
On May 30, 2012, at 2:26 PM, Vincent Massol wrote:
Hi devs,
We have the need of a Configuration Source component hint for implementation that only looks in non-modifiable sources (e.g. xwiki.properties).
More specifically there's a security issue in some cases in allowing to use the current "default" configuration source which looks in space preferences, wiki preferences and the only in xwiki.properties.
For example the Environment's permanent directory should not be modifiable from wiki pages (see http://jira.xwiki.org/browse/XCOMMONS-182).
So here's the proposal:
* Introduce a new RestrictedConfigurationSourceProvider implementation (in configuration-api) that does the same as the current ConfigurationSourceProvider but when looking up the CS, it looks for a CS with hint "restricted" * Deprecate the current XWikiPropertiesConfigurationSource (hint = "default") * Add a new XWikiPropertiesConfigurationSource with hint = "restricted"
Made a mistake here. Instead:
* Introduce a new RestrictedConfigurationSourceProvider implementation (in configuration-api) that does the same as the current ConfigurationSourceProvider but when looking up the CS, it looks for a CS with hint "restricted"
* Add a new RestrictedConfigurationSource impl that uses only XWikiPropertiesConfigurationSource FTM
Will you put RestrictedConfigurationSource in xwiki-commons-configuration-api or in xwiki-platform? It needs to know about "xwikiproperties" hint, which is specific to xwiki-platform.
It's in platform-configuration-default, next to DefaultconfigurationSource.
Then we have a commons component that doesn't work outside XWiki, unless those that want to use it also implement that "restricted" component?
thanks -Vincent
Thanks, Marius
No need to deprecate anything.
Thanks -Vincent
* Modify DefaultEnvironmentConfiguration to use:
@Inject @Named("restricted") private Provider<ConfigurationSource> configurationSourceProvider;
WDYT?
Thanks -Vincent
-- Sergiu Dumitriu http://purl.org/net/sergiu/
On Wed, May 30, 2012 at 5:02 PM, Sergiu Dumitriu <[email protected]> wrote:
On 05/30/2012 10:18 AM, Vincent Massol wrote:
On May 30, 2012, at 4:13 PM, Marius Dumitru Florea wrote:
On Wed, May 30, 2012 at 4:35 PM, Vincent Massol<[email protected]> wrote:
On May 30, 2012, at 2:26 PM, Vincent Massol wrote:
Hi devs,
We have the need of a Configuration Source component hint for implementation that only looks in non-modifiable sources (e.g. xwiki.properties).
More specifically there's a security issue in some cases in allowing to use the current "default" configuration source which looks in space preferences, wiki preferences and the only in xwiki.properties.
For example the Environment's permanent directory should not be modifiable from wiki pages (see http://jira.xwiki.org/browse/XCOMMONS-182).
So here's the proposal:
* Introduce a new RestrictedConfigurationSourceProvider implementation (in configuration-api) that does the same as the current ConfigurationSourceProvider but when looking up the CS, it looks for a CS with hint "restricted" * Deprecate the current XWikiPropertiesConfigurationSource (hint = "default") * Add a new XWikiPropertiesConfigurationSource with hint = "restricted"
Made a mistake here. Instead:
* Introduce a new RestrictedConfigurationSourceProvider implementation (in configuration-api) that does the same as the current ConfigurationSourceProvider but when looking up the CS, it looks for a CS with hint "restricted"
* Add a new RestrictedConfigurationSource impl that uses only XWikiPropertiesConfigurationSource FTM
Will you put RestrictedConfigurationSource in xwiki-commons-configuration-api or in xwiki-platform? It needs to know about "xwikiproperties" hint, which is specific to xwiki-platform.
It's in platform-configuration-default, next to DefaultconfigurationSource.
Then we have a commons component that doesn't work outside XWiki, unless those that want to use it also implement that "restricted" component?
The ConfigurationSource is in platform, not the Provider which provide an empty ConfigurationSource if none can be lookuped.
thanks -Vincent
Thanks, Marius
No need to deprecate anything.
Thanks -Vincent
* Modify DefaultEnvironmentConfiguration to use:
@Inject @Named("restricted") private Provider<ConfigurationSource> configurationSourceProvider;
WDYT?
Thanks -Vincent
-- Sergiu Dumitriu http://purl.org/net/sergiu/
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
-- Thomas Mortagne
participants (4)
-
Marius Dumitru Florea -
Sergiu Dumitriu -
Thomas Mortagne -
Vincent Massol