6 Nov
2014
6 Nov
'14
9:57 a.m.
I've written several scripts in Groovy that I want to make available to other users,
but some of them contain information that I don't wish people to see (queries giving
away schema details, connection passwords for JDBC/LDAP, etc). As I understand it if a
person is able to view a page in which code is executed they are also able to see the
source for that page. That being the case is there a recommended approach to hiding some
details from prying eyes?
6 Nov
6 Nov
12:36 p.m.
If you want to stay with Groovy the cleanest is probably to register
your groovy code logic and data as a script service component and then
call that script service (probably using Velocity) in the page where
the user have view right. The script service is registered once and
the user does not need to have view right of the page that contains it
for it to be executed (once registered it's just a Java Object from
XWiki point of view) so you can restrict access to that page.
See http://extensions.xwiki.org/xwiki/bin/view/Extension/Create+a+component+usi….
I would recommand to write this script service in Java since it's
easier to regsiter it (it's automatically registered) and also a lot
eaier to test and maintain but your choice.
On Thu, Nov 6, 2014 at 9:57 AM, Bryn Jeffries
<bryn.jeffries(a)sydney.edu.au> wrote:
I've written several scripts in Groovy that I want
to make available to other users, but some of them contain information that I don't
wish people to see (queries giving away schema details, connection passwords for
JDBC/LDAP, etc). As I understand it if a person is able to view a page in which code is
executed they are also able to see the source for that page. That being the case is there
a recommended approach to hiding some details from prying eyes?
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
12:38 p.m.
It's also a lot better for performance since it means you groovy code
is built only once when it's registered.
On Thu, Nov 6, 2014 at 12:36 PM, Thomas Mortagne
<thomas.mortagne(a)xwiki.com> wrote:
If you want to stay with Groovy the cleanest is
probably to register
your groovy code logic and data as a script service component and then
call that script service (probably using Velocity) in the page where
the user have view right. The script service is registered once and
the user does not need to have view right of the page that contains it
for it to be executed (once registered it's just a Java Object from
XWiki point of view) so you can restrict access to that page.
See
http://extensions.xwiki.org/xwiki/bin/view/Extension/Create+a+component+usi….
I would recommand to write this script service in Java since it's
easier to regsiter it (it's automatically registered) and also a lot
eaier to test and maintain but your choice.
On Thu, Nov 6, 2014 at 9:57 AM, Bryn Jeffries
<bryn.jeffries(a)sydney.edu.au> wrote:
--
Thomas Mortagne
I've written several scripts in Groovy that I
want to make available to other users, but some of them contain information that I
don't wish people to see (queries giving away schema details, connection passwords for
JDBC/LDAP, etc). As I understand it if a person is able to view a page in which code is
executed they are also able to see the source for that page. That being the case is there
a recommended approach to hiding some details from prying eyes?
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
10:01 p.m.
Great advice, thanks. I'll give it a try. At present there's a lot that's
easiest to do and maintain in Groovy, so probably I can factor out the sensitive core code
and call that with another Groovy script.
As for Java, yes, that's probably the way to go in the long run but I've had real
problems getting Java components added to XWiki, to the point where nothing runs just
because there's something wrong with the added jar file. That's too volatile for
my system so I'm steering clear for now...
Thomas Mortagne wrote:
It's also a lot better for performance since it
means you groovy code
is built only once when it's registered.
> If you want to stay with Groovy the cleanest is probably to register
> your groovy code logic and data as a script service component and then
> call that script service (probably using Velocity) in the page where
> the user have view right. The script service is registered once and
> the user does not need to have view right of the page that contains it
> for it to be executed (once registered it's just a Java Object from
> XWiki point of view) so you can restrict access to that page.
>
> See
http://extensions.xwiki.org/xwiki/bin/view/Extension/Create+a+component+usi….
>
> I would recommand to write this script service in Java since it's
> easier to regsiter it (it's automatically registered) and also a lot
> eaier to test and maintain but your choice.
7 Nov
7 Nov
1 a.m.
Hi,
Well, your groovy code requires PR to execute anyway, so how about this
idea?
You have your page A that has all the groovy code that is saved with your
user name (so the page gets PR) and that is viewable by any user so they
can run it.
Then you have this other page B that has an object of class C in it that
stores (using object properties) sensitive stuff like JDBC password and
other stuff you don`t want the users to see. The page B has denied view
access to everyone (just to be on the safe side).
Your page A gets the sensitive data from page B (using privileged API,
since you have PR) and uses it in its non-sensitive code.
Should be good for the use case you described, using the wiki model.
Hope this helps,
Eduard
On Thu, Nov 6, 2014 at 11:01 PM, Bryn Jeffries <bryn.jeffries(a)sydney.edu.au>
wrote:
Great advice, thanks. I'll give it a try. At
present there's a lot that's
easiest to do and maintain in Groovy, so probably I can factor out the
sensitive core code and call that with another Groovy script.
As for Java, yes, that's probably the way to go in the long run but I've
had real problems getting Java components added to XWiki, to the point
where nothing runs just because there's something wrong with the added jar
file. That's too volatile for my system so I'm steering clear for now...
Thomas Mortagne wrote:
It's also a lot better for performance since
it means you groovy code
is built only once when it's registered.
> If you want to stay with Groovy the cleanest is probably to register
> your groovy code logic and data as a script service component and then
> call that script service (probably using Velocity) in the page where
> the user have view right. The script service is registered once and
> the user does not need to have view right of the page that contains it
> for it to be executed (once registered it's just a Java Object from
> XWiki point of view) so you can restrict access to that page.
>
> See
http://extensions.xwiki.org/xwiki/bin/view/Extension/Create+a+component+usi…
.
>
> I would recommand to write this script service in Java since it's
> easier to regsiter it (it's automatically registered) and also a lot
> eaier to test and maintain but your choice.
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
3654
days inactive
3655
days old
4 comments
3 participants
participants (3)
-
Bryn Jeffries -
Eduard Moraru -
Thomas Mortagne