tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian K. Wallace" <br...@transmorphix.com>
Subject Security and Friendly URLs
Date Thu, 19 Jan 2006 04:32:42 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I was going to write an issue up in Jira about this, but wanted to run
it by and see what others make of it.

Security of a web app with Tapestry's 'normal' (aka: unfriendly) URLs is
a pain. Plain and simple. Using friendly URLs makes adding security easy
as it allows path based security. The problem is, enabling friendly URLs
doesn't disable the unfriendly URLs. While the method of configuring
friendly URLs doesn't explicitly state it does, it implies that adding
the friendly URL configuration actually changes the way URLs are dealt
with when it most definitely does not. Add to this that the Shell
component will add Tapestry comments, and cookies add the servlet's
path, and exploitation of a site generated by Tapestry becomes somewhat
trivial.

Given the above, the statement that this is an issue seems to be a fact.
The question is: Is this an issue that warrants an issue in Jira to fix?
Or more documentation stating the issue? I'd personally hope for the former.

Thoughts?

Brian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)

iD8DBQFDzxZqaCoPKRow/gARAkQgAJ9ORmXQZUgxGlkvpQwvqatY8q3HUwCfTr51
DznOyVvy7a42uez6hA2iK+Q=
=twXk
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org


Mime
View raw message