Reputation: 21
Getting directory listing issue with URL /VAADIN/* using Vaadin 8, JBoss EAP 7.0, Firefox browser
Problem statement:
Application built using Vaadin 8 deployed on Jboss EAP 7.0 has directory listing issue of all resources within /VAADIN/* e.g /VAADIN/themes/mytheme/images
Validation:
Upon validating other directories, say myapp/images or my/js this issue is not occurring which means default directory listing is off with Jboss configuration and is working perfectly. Issue only with Firefox
Approach:
I could partially fix by having the authentication filter configured for /VAADIN/* URL, but anyways post authentication the directory listing is still happening. Until that fix the listing was happening without authentication
Please suggest a fix the vulnerability
Upvotes: 1
Views: 171
Answers (1)
Reputation: 1370
Thank you for the report, we had already noticed some related issues for Vaadin Flow but the tickets or related changes haven't got backported to Vaadin 8 yet. I'll look into it.
The directory listing shouldn't be shown, although the lack of it mainly provides security by obscurity. The files that are served to the client will be accessible through the client regardless. It's best not to include any sensitive data among them.
Edit: Backported fixes should now be available in 8.14-SNAPSHOT and 8.13.2.
Upvotes: 1
Related Questions
- Vaadin Router (non-java) Address Bar Entry not working
- Vaadin : Disable listing of images folder in Vaadin V14 webapp
- Why can't I open a JBoss vfs:/ URL?
- Problem with permitAll in Vaadin and WebSecurity - not working
- Vaadin 8. Resource cannot be resolved
- Cannot redirect with the Vaadin navigator
- How to make jboss accept %2F encoded slash in URL path
- Enabling JBoss AS 7 Directory Listings
- javaee url-pattern "/" matches everything, while this should be the case for "/*" only, not for "/"
- Vaadin web.xml setup