[
https://issues.apache.org/jira/browse/MUSE-257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12524115
]
Dan Jemiolo commented on MUSE-257:
----------------------------------
I don't think I agree that this is a security issue. The EPRs are the way that
clients locate and communicate with a resource. If only certain clients are
allowed to communicate with a resource, then authentication/authorization
should be put in place using something like WS-Security, but your security
shouldn't hinge on hiding the existence of a public endpoint. Otherwise, with
one EPR I could discover others with brute force.
> client should not get listing of existing EPRS when invalid EPR is specified
> ----------------------------------------------------------------------------
>
> Key: MUSE-257
> URL: https://issues.apache.org/jira/browse/MUSE-257
> Project: Muse
> Issue Type: Bug
> Environment: Muse 2.2.0
> Reporter: Vinh Nguyen
> Assignee: Dan Jemiolo
>
> When a client specifies an invalid EPR, Muse throws a SoapFault and lists the
> current EPRs on the server. This is a possible security issue. Instead,
> Muse should just say "invalid EPR", and then just internally log the error
> with the list of existing EPRs to make it easier to debug on the server side.
> The problem is in SimpleResourceRouter.getTargetResource(). This is where it
> throws the fault.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
