On 11/29/06, Bernhard Slominski <[EMAIL PROTECTED]> wrote:
Hi, I think the current implementation of the ClassResourceProcessor is a security issue. The ClassResourceProcessor exposes all files in the classpath and it's enable by default. If you have e.g. your database passwords in properties files you just have to know the name and path to the file and you can read the content of the file. So I think it should at least be disabled by default.
It doesn't allow access to Java class files, but your point is well taken ... we need mechanisms to control which resources are allowed. (You can use web.xml security constraints to partially do this, but the set of supported URL patterns is somewhat limited.) Bernhard
Craig
