James Berry wrote: > > On Aug 23, 2006, at 2:40 PM, William A. Rowe, Jr. wrote: > >> James Berry wrote: >>> >>> So maybe this is the crux of it. Why/where is it that "this;biz=bar" >>> cannot be treated the same for the purposes of access control as "this"? >>> The URL spec says that these are equally valid, and that "this,biz=bar" >>> is equally valid (and suggests too that it might also be used for >>> passing parameters) but to my understanding, that should be no concern >>> of tomcat's. >> >> BUT today's parsers don't do that. So any DENY rule on "this" would let >> "this;biz=bar" slip through, while the handler might process "this" and >> ignore parameters entirely. > > So such a deny rule on "this" would currently let "this;biz=bar" > through, and would also let "thisthatandtheotherthing" through too, right? > > I see nothing wrong with that: if follows my assertion that semicolon > parameters simply should not be treated any differently. > > What I'm saying is that they should not be treated independently or > differently. They should be treated not as metadata, but as part of the > segment.
To be 100% clear; this is what Apache httpd does today. If you ask for foo.html;v=1 it will open the -file- foo.html;v=1 or fail. What jk or tomcat does with the same is up to those components, but httpd has no magic whatsoever which is what you want. You would like the same of Tomcat. But... ...this would be valid if /servlet/MyApplication;v=1 invokes the class MyApplication;v=1 and not MyApplication with a parameter of v=1. If it invokes the class MyApplication then we can't follow your philosophy since the permissions were likely to apply to the servlet class and not to the precise syntax the user called MyApplication with. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
