tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian K. Wallace" <br...@transmorphix.com>
Subject Re: Security and Friendly URLs
Date Thu, 19 Jan 2006 05:51:29 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If the servlet mapping weren't used elsewhere, this might be possible;
however, the main reason I brought it up was to make sure it's clearly
identified as an issue - either in handling of URLs, or in documentation
that doesn't imply 'disabling of unfriendly access'.

Brian

Paul Ferraro wrote:
> Why not disable 'normal' URLs by simply removing the problematic servlet
> mapping (e.g. /app) from your web.xml?
> 
> Paul
> 
> Brian K. Wallace wrote:
>> I was going to write an issue up in Jira about this, but wanted to run
>> it by and see what others make of it.
>>
>> Security of a web app with Tapestry's 'normal' (aka: unfriendly) URLs is
>> a pain. Plain and simple. Using friendly URLs makes adding security easy
>> as it allows path based security. The problem is, enabling friendly URLs
>> doesn't disable the unfriendly URLs. While the method of configuring
>> friendly URLs doesn't explicitly state it does, it implies that adding
>> the friendly URL configuration actually changes the way URLs are dealt
>> with when it most definitely does not. Add to this that the Shell
>> component will add Tapestry comments, and cookies add the servlet's
>> path, and exploitation of a site generated by Tapestry becomes somewhat
>> trivial.
>>
>> Given the above, the statement that this is an issue seems to be a fact.
>> The question is: Is this an issue that warrants an issue in Jira to fix?
>> Or more documentation stating the issue? I'd personally hope for the
>> former.
>>
>> Thoughts?
>>
>> Brian
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org
>>
>>
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)

iD8DBQFDzyjhaCoPKRow/gARAtDBAJ4pyJZlWzKfTlMVppWuF2+mGDAdIACgtAk0
OQZtQHuFgM0HZbupdFTvenM=
=hrEw
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org


Mime
View raw message