-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was going to write an issue up in Jira about this, but wanted to run it by and see what others make of it.
Security of a web app with Tapestry's 'normal' (aka: unfriendly) URLs is a pain. Plain and simple. Using friendly URLs makes adding security easy as it allows path based security. The problem is, enabling friendly URLs doesn't disable the unfriendly URLs. While the method of configuring friendly URLs doesn't explicitly state it does, it implies that adding the friendly URL configuration actually changes the way URLs are dealt with when it most definitely does not. Add to this that the Shell component will add Tapestry comments, and cookies add the servlet's path, and exploitation of a site generated by Tapestry becomes somewhat trivial. Given the above, the statement that this is an issue seems to be a fact. The question is: Is this an issue that warrants an issue in Jira to fix? Or more documentation stating the issue? I'd personally hope for the former. Thoughts? Brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) iD8DBQFDzxZqaCoPKRow/gARAkQgAJ9ORmXQZUgxGlkvpQwvqatY8q3HUwCfTr51 DznOyVvy7a42uez6hA2iK+Q= =twXk -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
