Why not disable 'normal' URLs by simply removing the problematic servlet mapping (e.g. /app) from your web.xml?
Paul Brian K. Wallace wrote: > I was going to write an issue up in Jira about this, but wanted to run > it by and see what others make of it. > > Security of a web app with Tapestry's 'normal' (aka: unfriendly) URLs is > a pain. Plain and simple. Using friendly URLs makes adding security easy > as it allows path based security. The problem is, enabling friendly URLs > doesn't disable the unfriendly URLs. While the method of configuring > friendly URLs doesn't explicitly state it does, it implies that adding > the friendly URL configuration actually changes the way URLs are dealt > with when it most definitely does not. Add to this that the Shell > component will add Tapestry comments, and cookies add the servlet's > path, and exploitation of a site generated by Tapestry becomes somewhat > trivial. > > Given the above, the statement that this is an issue seems to be a fact. > The question is: Is this an issue that warrants an issue in Jira to fix? > Or more documentation stating the issue? I'd personally hope for the > former. > > Thoughts? > > Brian > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
smime.p7s
Description: S/MIME Cryptographic Signature
