Re: [Asterisk-java-users] AGI Mapping Strategies in Asterisk-Java 0.3

[Stefan R. <sr...@re...>]

> This feels like it might possibly be a security risk in some instances.=


Security is a good point to consider. Especially being secure by default.=


> It basically allows someone with access to the dial-plan to call any
> class in the java code base.

Not exactly any class, only classes that implement the AgiScript
interface. The security issue is present if all of the following
conditions are met:
- you place multiple scripts on your classpath
- some of the availble scripts should not be exposed to Asterisk
- at least one of the available scripts, that should not be exposed to
Asterisk does not itself implement security checks (i.e. verifying the
source IP address)

> I'm not certain that this is such a good idea (although I do like the
> convenience).

Its a tradeoff. The past showed that most people having trouble starting
to play with Asterisk-Java and FastAGI didn't get the mapping done the
right way. (esp. CLASSPATH issues)

> The approach I've used previously is to create a small mapping class,
> the advantage of this technique is that the java programmer has control=

> over which methods can be called not the dial plan writer.

Yep, thats what I also do, but it doesn't work "out of the box", i.e.
you have to use it :) I usually use the Spring Framework and the
SimpleMappingStrategy (which does probably just what your small mapping
class does) provided with Asterisk-Java.
What I like with the new approach is that it gets people started more
quickly: Just implement the AgiScript, place the script's class file and
asteriskjava.jar on the CLASSPATH and run DefaultAgiServer from the
command line.

> Do other people have an opinion on this?

Any feedback is highly appreciated!

=3DStefan

--=20
reuter network consulting
Neusser Str. 110
50760 Koeln
Germany
Telefon: +49 221 1305699-0
Telefax: +49 221 1305699-90
E-Mail:  sr...@re...
Jabber:  sr...@ja...