[
https://jira.jboss.org/jira/browse/RF-4043?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stephen Kinser updated RF-4043:
-------------------------------
Description:
Here's an http session as reported by livehttpheaders:
GET /console2/
GET
/console2/j_security_check;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724?j_password=AAAACGtpbnNlcnNoAAAACTEyNy4wLjAuMQAAABTJXEus6ptOSJJLMmzTVnlXbf46nw%3D%3D&j_username=kinsersh
GET
/console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/style.css;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml
GET
/console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml
GET
/console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/script/processEffect.js.xhtml
GET /console2/images/mozilla_blu.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/images/fatal.png;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/images/logolarge.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
See that jsessionid is not included for links to /a4j_3_2_1-SNAPSHOT* content,
except for .xcss content. The end result is that session tracking using urls is
disabled for these resources. This is a concern when a blanket security
constraint for *.xhtml is in place and cookie session tracking is disabled. In
this case these requests are never fulfilled because the container is not able
to associate these requests with an already authenticated session. The
workaround is for me to explicitly secure my JSF pages and leave
/a4j_3_2_1-SNAPSHOT* content public. This is a fairly good workaround, but I
still expect richfaces to encodeURL all of its links.
Here's content in the <head> section of my project's index.xhtml page (from
firefox's View Source):
<link rel='stylesheet' class='component' type='text/css'
href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E'
/><link rel='stylesheet' class='component' type='text/css'
href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E'
/><link rel='stylesheet' class='user' type='text/css'
href='style.css;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><script
type='text/javascript'
src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml'></script><script
type='text/javascript'
src='a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml'></script><script
type='text/javascript'
src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml'></script><script
type='text/javascript'
src='a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml'></script>
was:
Here's an http session as reported by livehttpheaders:
GET /console2/
GET
/console2/j_security_check;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724?j_password=AAAACGtpbnNlcnNoAAAACTEyNy4wLjAuMQAAABTJXEus6ptOSJJLMmzTVnlXbf46nw%3D%3D&j_username=kinsersh
GET
/console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/style.css;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml
GET
/console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml
GET
/console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/script/processEffect.js.xhtml
GET /console2/images/mozilla_blu.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/images/fatal.png;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/images/logolarge.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
See that jsessionid is not included for links to /a4j_3_2_1-SNAPSHOT* content,
except for .xcss content. The end result is that session tracking doesn't work
for these resources, which isn't much of a concern unless a blanket security
constraint for *.xhtml is in place and cookie tracking is disabled. The
workaround is for me to explicitly secure JSF pages and leave
/a4j_3_2_1-SNAPSHOT* content public.
Here's content in the <head> section of my project's index.xhtml page:
<link rel='stylesheet' class='component' type='text/css'
href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E'
/><link rel='stylesheet' class='component' type='text/css'
href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E'
/><link rel='stylesheet' class='user' type='text/css'
href='style.css;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><script
type='text/javascript'
src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml'></script><script
type='text/javascript'
src='a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml'></script><script
type='text/javascript'
src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml'></script><script
type='text/javascript'
src='a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml'></script>
> Richfaces doesn't encodeURL links to most a4j_3_2_1-SNAPSHOT resources
> ----------------------------------------------------------------------
>
> Key: RF-4043
> URL: https://jira.jboss.org/jira/browse/RF-4043
> Project: RichFaces
> Issue Type: Bug
> Affects Versions: 3.2.1
> Environment: SUSE Linux 10.2
> Firefox 3.0.1
> Reporter: Stephen Kinser
>
> Here's an http session as reported by livehttpheaders:
> GET /console2/
> GET
> /console2/j_security_check;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724?j_password=AAAACGtpbnNlcnNoAAAACTEyNy4wLjAuMQAAABTJXEus6ptOSJJLMmzTVnlXbf46nw%3D%3D&j_username=kinsersh
> GET
> /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/style.css;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml
> GET
> /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml
> GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml
> GET /console2/a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml
> GET
> /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/script/processEffect.js.xhtml
> GET
> /console2/images/mozilla_blu.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/images/fatal.png;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/images/logolarge.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> See that jsessionid is not included for links to /a4j_3_2_1-SNAPSHOT*
> content, except for .xcss content. The end result is that session tracking
> using urls is disabled for these resources. This is a concern when a blanket
> security constraint for *.xhtml is in place and cookie session tracking is
> disabled. In this case these requests are never fulfilled because the
> container is not able to associate these requests with an already
> authenticated session. The workaround is for me to explicitly secure my JSF
> pages and leave /a4j_3_2_1-SNAPSHOT* content public. This is a fairly good
> workaround, but I still expect richfaces to encodeURL all of its links.
> Here's content in the <head> section of my project's index.xhtml page (from
> firefox's View Source):
> <link rel='stylesheet' class='component' type='text/css'
> href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E'
> /><link rel='stylesheet' class='component' type='text/css'
> href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E'
> /><link rel='stylesheet' class='user' type='text/css'
> href='style.css;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><script
> type='text/javascript'
> src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml'></script><script
> type='text/javascript'
> src='a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml'></script><script
> type='text/javascript'
> src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml'></script><script
> type='text/javascript'
> src='a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml'></script>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
richfaces-issues mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/richfaces-issues
