Comments (14)
We should address these issues if we finally use CloudFoundry instead of GoogleAppEngine.
from thymeleaf-itutorial.
Does Cloud Foundry allow complete execution of any arbitrary expression on the Java Runtime classes?
from thymeleaf-itutorial.
Yes... I've just tried
<span th:text="${T(java.lang.System).exit(0)}">...</span>
and then the website returns a 404 response.
from thymeleaf-itutorial.
Wow. IMHO, that is a Cloud Foundry issue... maybe reporting it to them could be a good idea?
from thymeleaf-itutorial.
You can do that?! Hahaha :D
from thymeleaf-itutorial.
The concept of CloudFoundry is quite different from GAE. GAE gives you a restricted runtime enviroment whilst CF gives you an Amazon AWS instance for you.
Then, in your Amazon AWS instance you install a pre-packaged Tomcat server and deploy your app in your Tomcat (you do that with just one command).
So I assume it is your responsability to manage your Tomcat instance properly.
from thymeleaf-itutorial.
Understood. Hmm... and does CloudFoundry allow you to configure your own SecurityManager for that Tomcat instance?
In fact, I still think CF should add such SecurityManager by default. CF is PaaS, not IaaS, so it should offer you these things, IMHO. If you wanted an IaaS service, then you should just use AWS directly...
from thymeleaf-itutorial.
I suppose you can do anything.
I'm using the default "java buildpack"
but you can create your "custom buildpacks" (although I don't know if it is easy).
from thymeleaf-itutorial.
Well... given we still don't know whether the CF deployment would be right for us in terms of billing (compared to GAE), I would try to avoid spending too much effort on adapting the application to a deployment we cannot know for sure we'll still be using in 2-month's time.
So.. @jmiguelsamper could you please create a ticket at CF's JIRA explaining our situation and giving them detail about why we need our users to execute any expression, but protect the system from things like the above?... at least that way we'll be able to have some "official explanation" about how this scenario should be handled...
To be honest, this whole thing makes it look like GAE is much more suitable for our tutorial, at least for now... :-(
from thymeleaf-itutorial.
Ok, I read a bit more the documentation, tried the Tomcat's security manager in local and finally posted a question in the CF's official forums:
from thymeleaf-itutorial.
Got response from CF. If we want to enable Tomcat's security manager we have to build our custom java-buildpack.
from thymeleaf-itutorial.
And that looks like a lot of work, right?
from thymeleaf-itutorial.
Yeah... the instructions are quite clear:
- Fork java-buildpack
- Modify tomcat spec to add
-security
parameter to Tomcat's start command. - Provide a custom
catalina.policy
file with proper permissions (defaultcatalina.policy
does not allow Spring framework to start).
from thymeleaf-itutorial.
This was finally solved implementing a org.springframework.expression.TypeLocator which controls the expressions that can be executed inside a SpEL expression.
from thymeleaf-itutorial.
Related Issues (18)
- IE8 new lines in Java files
- Performance optimizations
- TemplateProcessingException while sending confirmation mail HOT 1
- Switch to Heroku HOT 6
- Update to 2.1.2 HOT 1
- Configure stats
- Add an "about" link to the main page HOT 2
- Mention Thymeleaf as a technology in the "about" section HOT 4
- Update thymeleaf version to 2.1.3 HOT 1
- Update to 2.1.4 HOT 2
- IE8 encoding problems
- Highlight line with error
- Add more exercises HOT 2
- Tutorial does not work with Thymeleaf 2.0.17+ HOT 18
- Check user solution
- Split up "Show solution" button HOT 1
- Show context objects HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from thymeleaf-itutorial.