[cas-dev] easier configuration in CAS 3.1.2-SNAPSHOT

Scott Battaglia scott.battaglia at gmail.com
Wed Jan 30 14:44:52 EST 2008 

How would one get maliciously placed there?  When?  In the CVS tree?
Someone could maliciously add it to the list of files in the web.xml also if
they have access to the source tree.  They could also just modify the
original context files without even adding any new ones.

All this does is eliminate the need to register the file explicitly within
the web.xml.   The web.xml has a specific configuration convention
--anything that you've put in the specific protected directory (its not
visible as its under WEB-INF).  It doesn't protect against malicious
attempts any more or less than the original method, it just eliminates one
more file that needs to be modified.

In fact, it could make it more secure.  You're including the CAS war from a
well known source (the JASIG repository) and your Maven2 WAR overlay clearly
shows which are new files and which are modified files without having to see
any of the files you're not touching (so its easier to identify them).

Minimizing the number of files that you've modified also makes upgrading
easier, meaning you're less likely to miss a new configuration item (or have
to manually merge changes).

-Scott



On Jan 30, 2008 2:36 PM, William G. Thompson, Jr. <wgthom at rutgers.edu>
wrote:

> Are you concerned at all that either maliciously or by mistake a file
> gets loaded that should not?
>
> Bill
>
> On Jan 30, 2008 2:29 PM, Scott Battaglia <scott.battaglia at gmail.com>
> wrote:
> > The XML configuration files have to be placed in a specific directory
> that
> > is under the WEB-INF directory.  The web.xml is configured to only load
> XML
> > files in that specific directory.  It eliminates the need for every
> deployer
> > to modify the web.xml.  It also allows us to break out the configuration
> > files into smaller subsets and allow you to override specific ones
> without
> > having to make a copy of the larger file (i.e. applicationContext.xml).
> >
> > -Scott
> >
> >
> >
> > On Jan 30, 2008 2:22 PM, William G. Thompson, Jr. <wgthom at rutgers.edu>
> > wrote:
> > > Not sure how I feel about loading *.xml files...seems like it could
> > > lead to some unintended consequences.  Isn't it better, safer maybe,
> > > to have these explicitly identified?  I'm curious how others feel
> > > about this change.
> > >
> > > Bill
> > >
> > >
> > >
> > >
> > >
> > > On Jan 30, 2008 11:56 AM, Scott Battaglia <scott.battaglia at gmail.com>
> > wrote:
> > > > For the first time in a long time, I've actually had to do a
> deployment
> > of
> > > > CAS from scratch (shocking, yes, I know).  So its the first time
> I've
> > had
> > > > the pleasure of using the WAR overlay method of keeping track of
> your
> > > > customizations.  [side note, if you're not using it I recommend it].
> > > >
> > > > However, when using it I noticed a few things that could be done
> more
> > > > easily, so I've made a few modifications to the way we handle
> > configuration
> > > > files:
> > > >
> > > > Except for the files that we reference constantly or need to be in a
> > > > particular spot (I'm looking at you, deployerConfigContext.xml and
> > > > cas-servlet.xml), all other Spring XML configuration files are
> either
> > > > located in WEB-INF/spring-configuration/ or
> > WEB-INF/unused-configuration/
> > > >
> > > > The web.xml is set up to load deployerConfigContext.xml and
> > > > WEB-INF/spring-configuration/*.xml.  You need to add a configuration
> > file or
> > > > enable one?  Just put it in that directory (preferably using the WAR
> > overlay
> > > > method).  Some of the things that are more frequently modified have
> been
> > > > broken out into their own configuration files.
> > > >
> > > > This is going in for the CAS 3.1.2 release.  If you have any
> suggestions
> > on
> > > > breaking up the configuration files some more, etc. please let me
> know
> > > > within the next day or two.
> > > >
> > > > Thanks
> > > > -Scott
> > > >
> > > >  --
> > > > -Scott Battaglia
> > > > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > > > _______________________________________________
> > > > cas-dev mailing list
> > > > cas-dev at tp.its.yale.edu
> > > > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> > > >
> > > >
> > > _______________________________________________
> > > cas-dev mailing list
> > > cas-dev at tp.its.yale.edu
> > > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> > >
> >
> >
> >
> > --
> >
> >
> > -Scott Battaglia
> >
> > LinkedIn: http://www.linkedin.com/in/scottbattaglia
> > _______________________________________________
> > cas-dev mailing list
> > cas-dev at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas-dev
> >
> >
>
>
>
> --
> William G. Thompson, Jr.
> Associate Director - Architecture & Engineering
> Enterprise Systems and Services, Rutgers University
> voice: 732 445-5428 | fax: 732 445-5493 | wgthom at rutgers.edu
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>



-- 
-Scott Battaglia

LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20080130/ed9dd8cc/attachment.html

More information about the cas-dev mailing list