perhaps the solution to the security concern is just to somehow be more clear what your actual endpoints are as a function of the modules you've inherited. maybe some sort of click-through acknowledgment? the compiler could even dump out the list when you compile.
On 10/30/08, Scott Blum <[EMAIL PROTECTED]> wrote: > Ray, it's a great point you raise. And it's possible my wanting to > deprecate it is in some way related to not wanting to solve the problem of > merging into a user's existing web.xml. For parity between hosted and web > mode, I feel like if we continue to support servlets, the compiler needs to > hand this (as well as hosted mode). > > There is a possible security motivation, however, for not doing this. I > think it's slightly better if a developer explicitly includes your servlet > in their web.xml. Otherwise, just by inheriting your module (and future > tools might make it very easy to download/install/inherit someone's module > off the web) they are, perhaps without realizing it, setting themselves up > to run your code on their production servers. Not only that, but as a > servlet, their code can be controlled directly from the web. I'm imagining > someone slipping in a <servlet path="/__hax__" > class="im.in.ur.datacenter.pwning.ur.Server" />. > > On Thu, Oct 30, 2008 at 2:55 PM, Ray Cromwell <[EMAIL PROTECTED]> wrote: > >> Does WAR mode offer the same inheritance benefits? What I mean is >> this: Today, I provide a servlet that accompanies the >> Chronoscope.gwt.xml module. Chronoscope itself has no entry point, it >> is a module made to be inherited. Any GWT module that inherits >> Chronoscope would get servlet config inherited with no need to >> configure anything. "It just works" And with the gwt-maven plugin I >> use, the <servlet> module descriptors are merged into any web.xml on >> behalf of the user, again, hassle-free module inheritance. >> >> With a pure module like Chronoscope, which has no entry points, but >> does have servlets, I'm unsure if it even needs a web.xml. If I >> provided one, and another project inherits from Chronoscope, and has >> its own web.xml as well, how do the two web.xml instances interact? >> Does the entry point module's web.xml win? This then seems to require >> that the developer scan the jars of every module he inherits looking >> for servlets so that he can add them to his web.xml >> >> I don't know what the solution is, but I kinda liked the <servlet> >> module tag and it's ability to be picked up by inheritors. >> >> -Ray >> >> > > > > --~--~---------~--~----~------------~-------~--~----~ http://groups.google.com/group/Google-Web-Toolkit-Contributors -~----------~----~----~----~------~----~------~--~---
