[
https://jira.jboss.org/jira/browse/RF-4043?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nick Belaevski updated RF-4043:
-------------------------------
Fix Version/s: 3.2.2
Assignee: Nick Belaevski
> Richfaces doesn't encodeURL links to most a4j_3_2_1-SNAPSHOT resources
> ----------------------------------------------------------------------
>
> Key: RF-4043
> URL: https://jira.jboss.org/jira/browse/RF-4043
> Project: RichFaces
> Issue Type: Bug
> Affects Versions: 3.2.1
> Environment: SUSE Linux 10.2
> Firefox 3.0.1
> Reporter: Stephen Kinser
> Assignee: Nick Belaevski
> Fix For: 3.2.2
>
>
> Here's an http session as reported by livehttpheaders:
> GET /console2/
> GET
> /console2/j_security_check;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724?j_password=AAAACGtpbnNlcnNoAAAACTEyNy4wLjAuMQAAABTJXEus6ptOSJJLMmzTVnlXbf46nw%3D%3D&j_username=kinsersh
> GET
> /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/style.css;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml
> GET
> /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml
> GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml
> GET /console2/a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml
> GET
> /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/script/processEffect.js.xhtml
> GET
> /console2/images/mozilla_blu.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/images/fatal.png;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/images/logolarge.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> See that jsessionid is not included for links to /a4j_3_2_1-SNAPSHOT*
> content, except for .xcss content. The end result is that session tracking
> using urls is disabled for these resources. This is a concern when a blanket
> security constraint for *.xhtml is in place and cookie session tracking is
> disabled. In this case these requests are never fulfilled because the
> container is not able to associate these requests with an already
> authenticated session. The workaround is for me to explicitly secure my JSF
> pages and leave /a4j_3_2_1-SNAPSHOT* content public. This is a fairly good
> workaround, but I still expect richfaces to encodeURL all of its links.
> Here's content in the <head> section of my project's index.xhtml page (from
> firefox's View Source):
> <link rel='stylesheet' class='component' type='text/css'
> href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E'
> /><link rel='stylesheet' class='component' type='text/css'
> href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E'
> /><link rel='stylesheet' class='user' type='text/css'
> href='style.css;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><script
> type='text/javascript'
> src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml'></script><script
> type='text/javascript'
> src='a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml'></script><script
> type='text/javascript'
> src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml'></script><script
> type='text/javascript'
> src='a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml'></script>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
richfaces-issues mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/richfaces-issues
