[
https://issues.apache.org/jira/browse/SHIRO-360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13271797#comment-13271797
]
Les Hazlewood commented on SHIRO-360:
-------------------------------------
Hi Jim,
I totally agree - this is why I'd like it to be a customizable component where
these things can be easily turned on/off instead of embedded in the
ShiroHttpServletResponse implementation like it is today.
However, because Shiro must adhere to the Servlet Specification, we have to
support JSESSIONID appending - but we can still strongly recommend to people
that they turn it off (or even likely turn it off by default). XSS defense was
also on my mind when I thought about this too - hopefully we can kill a few
birds with one stone here.
Thanks for the feedback!!!
Les
> Create UrlEncoder
> -----------------
>
> Key: SHIRO-360
> URL: https://issues.apache.org/jira/browse/SHIRO-360
> Project: Shiro
> Issue Type: New Feature
> Components: Web
> Reporter: Les Hazlewood
> Fix For: 1.3.0
>
>
> To customize how URL encoding in a web app occurs, we should have a
> UrlEncoder component. More specifically, this can be used to customize how
> JSESSIONID is appended to a URL (if at all, depending on security
> preferences).
> The solution could be resolved as follows:
> Create a new UrlEncoder interface:
> public interface UrlEncoder {
> String encodeUrl(EncodeUrlRequest request);
> }
> The EncodeUrlRequest:
> public interface EncodeUrlRequest {
> String getUrl();
> HttpServletRequest getHttpServletRequest();
> HttpServletResponse getHttpServletResponse();
> ServletContext getServletContext();
> }
> Update WebEnvironment to have a new property:
> UrlEncoder getUrlEncoder();
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
