[
https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12440449#action_12440449
]
Nick Belaevski commented on RF-3586:
------------------------------------
This class is intended to generate predictable URIs for all resources handled
by RichFaces. It creates mapping between resource key/data value and generated
random string of known format for all resource requests. By default
UUID.toString() is used. Mapping is maintained by LRU map having default
capacity of 10000 so be aware that stale entries can be removed and application
users will get errors then.
How to use: add to application classpath
META-INF/services/org.ajax4jsf.resource.InternetResourceBuilder file with the
following content org.ajax4jsf.resource.cached.CachedResourceBuilder
Limitations:
1. Doesn't work in clustered environments
2. All resource URIs become invalid after server restart that can cause cache
issues
3. Diagnostic of resource loading errors becomes somewhat harder. Variant of
code where random key is appended to resource name doesn't satisfy the
requirement of no path depth > 8 as requested by users (see RF-3586 for more
info)
> URLs of resources are not predictable
> -------------------------------------
>
> Key: RF-3586
> URL: https://jira.jboss.org/jira/browse/RF-3586
> Project: RichFaces
> Issue Type: Bug
> Components: docs updated, planning_all
> Affects Versions: 3.1.4, 3.1.5, 3.2.0
> Reporter: Olivier Martin
> Assignee: Tsikhon Kuprevich
> Priority: Blocker
> Fix For: 3.3.0
>
> Original Estimate: 1 day, 4 hours
> Remaining Estimate: 1 day, 4 hours
>
> The way RichFaces generates URLs for the scripts and styles is incompatible
> with security restrictions in a corporate world.
> When applications are deployed in production, the list of the URLs it uses
> has to be known : the Firewalls are configured with this "white-list" and a
> "black-list" forbidding URLs with ".." characters.
> For instance the following URL has several problems :
> a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces
> * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't
> bother to do it, thus this part is gonna change with each RichFaces release
> * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of
> the object SkinImpl.hashcode() ?!!
> * The part "eAF7P..bLgAIQwM." contains ".."' characters
> Overall we had to bypass the usual security restrictions to put an
> application in production, this is unacceptable.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
richfaces-issues mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/richfaces-issues
