[richfaces-issues] [JBoss JIRA] Resolved: (RF-4043) Richfaces doesn't encodeURL links to most a4j_3_2_1-SNAPSHOT resources

Thu, 31 Jul 2008 07:21:33 -0700 

     [ 
https://jira.jboss.org/jira/browse/RF-4043?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Nick Belaevski resolved RF-4043.
--------------------------------

    Resolution: Won't Fix
      Assignee: Tsikhon Kuprevich  (was: Nick Belaevski)


Use new context parameters to separate session-aware and not resources

> Richfaces doesn't encodeURL links to most a4j_3_2_1-SNAPSHOT resources
> ----------------------------------------------------------------------
>
>                 Key: RF-4043
>                 URL: https://jira.jboss.org/jira/browse/RF-4043
>             Project: RichFaces
>          Issue Type: Bug
>    Affects Versions: 3.2.1
>         Environment: SUSE Linux 10.2
> Firefox 3.0.1
>            Reporter: Stephen Kinser
>            Assignee: Tsikhon Kuprevich
>             Fix For: 3.2.2
>
>
> Here's an http session as reported by livehttpheaders:
> GET /console2/
> GET 
> /console2/j_security_check;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724?j_password=AAAACGtpbnNlcnNoAAAACTEyNy4wLjAuMQAAABTJXEus6ptOSJJLMmzTVnlXbf46nw%3D%3D&j_username=kinsersh
> GET 
> /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/style.css;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml
> GET 
> /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml
> GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml
> GET /console2/a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml
> GET 
> /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/script/processEffect.js.xhtml
> GET 
> /console2/images/mozilla_blu.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/images/fatal.png;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/images/logolarge.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> See that jsessionid is not included for links to /a4j_3_2_1-SNAPSHOT* 
> content, except for .xcss content. The end result is that session tracking 
> using urls is disabled for these resources. This is a concern when a blanket 
> security constraint for *.xhtml is in place and cookie session tracking is 
> disabled. In this case these requests are never fulfilled because the 
> container is not able to associate these requests with an already 
> authenticated session. The workaround is for me to explicitly secure my JSF 
> pages and leave /a4j_3_2_1-SNAPSHOT* content public. This is a fairly good 
> workaround, but I still expect richfaces to encodeURL all of its links.
> Here's content in the <head> section of my project's index.xhtml page (from 
> firefox's View Source):
>   <link rel='stylesheet' class='component' type='text/css' 
> href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E'
>  /><link rel='stylesheet' class='component' type='text/css' 
> href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E'
>  /><link rel='stylesheet' class='user' type='text/css' 
> href='style.css;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><script 
> type='text/javascript' 
> src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml'></script><script
>  type='text/javascript' 
> src='a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml'></script><script
>  type='text/javascript' 
> src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml'></script><script
>  type='text/javascript' 
> src='a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml'></script>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        
_______________________________________________
richfaces-issues mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/richfaces-issues

Reply via email to