-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If the servlet mapping weren't used elsewhere, this might be possible; however, the main reason I brought it up was to make sure it's clearly identified as an issue - either in handling of URLs, or in documentation that doesn't imply 'disabling of unfriendly access'.
Brian Paul Ferraro wrote: > Why not disable 'normal' URLs by simply removing the problematic servlet > mapping (e.g. /app) from your web.xml? > > Paul > > Brian K. Wallace wrote: >> I was going to write an issue up in Jira about this, but wanted to run >> it by and see what others make of it. >> >> Security of a web app with Tapestry's 'normal' (aka: unfriendly) URLs is >> a pain. Plain and simple. Using friendly URLs makes adding security easy >> as it allows path based security. The problem is, enabling friendly URLs >> doesn't disable the unfriendly URLs. While the method of configuring >> friendly URLs doesn't explicitly state it does, it implies that adding >> the friendly URL configuration actually changes the way URLs are dealt >> with when it most definitely does not. Add to this that the Shell >> component will add Tapestry comments, and cookies add the servlet's >> path, and exploitation of a site generated by Tapestry becomes somewhat >> trivial. >> >> Given the above, the statement that this is an issue seems to be a fact. >> The question is: Is this an issue that warrants an issue in Jira to fix? >> Or more documentation stating the issue? I'd personally hope for the >> former. >> >> Thoughts? >> >> Brian >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) iD8DBQFDzyjhaCoPKRow/gARAtDBAJ4pyJZlWzKfTlMVppWuF2+mGDAdIACgtAk0 OQZtQHuFgM0HZbupdFTvenM= =hrEw -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
