Skip to content

Security hardening from a code audit: several small, self-contained PRs #328

Description

@Isaries

Hi, and thanks for maintaining WISE.

I am the new systems operator for NTNU TWISE, a WISE deployment in Taiwan. While getting familiar with the codebase I did a focused review of the authentication and access control code and found a handful of issues. I have opened a small, self-contained pull request for each so they are easy to review or decline individually. All are branched off the latest develop, follow the existing commit conventions, and build on JDK 17. I am happy to rebase, split, combine, or adjust any of them.

Ready for review (small, contained, no behavior change for normal users):

Proposals that change runtime behavior, opened as drafts because they need verification on a running instance:

For the two drafts I am happy to provide staging evidence or to narrow the scope. The WebSocket same-origin change is intentionally left out of #327.

No rush at all, and please feel free to close anything that does not fit the project's direction. Thank you for taking a look.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions