svn commit: r397037 - /tapestry/tapestry4/branches/4.0/src/documentation/content/xdocs/UsersGuide/friendly-urls.xml

[bwallace]

Author: bwallace
Date: Tue Apr 25 18:02:50 2006
New Revision: 397037

URL: http://svn.apache.org/viewcvs?rev=397037&view=rev
Log:
[TAPESTRY-843] Added warning about security and friendly URLs

Modified:
    
tapestry/tapestry4/branches/4.0/src/documentation/content/xdocs/UsersGuide/friendly-urls.xml

Modified: 
tapestry/tapestry4/branches/4.0/src/documentation/content/xdocs/UsersGuide/friendly-urls.xml
URL: 
http://svn.apache.org/viewcvs/tapestry/tapestry4/branches/4.0/src/documentation/content/xdocs/UsersGuide/friendly-urls.xml?rev=397037&r1=397036&r2=397037&view=diff
==============================================================================
--- 
tapestry/tapestry4/branches/4.0/src/documentation/content/xdocs/UsersGuide/friendly-urls.xml
 (original)
+++ 
tapestry/tapestry4/branches/4.0/src/documentation/content/xdocs/UsersGuide/friendly-urls.xml
 Tue Apr 25 18:02:50 2006
@@ -60,6 +60,13 @@
     ambitious, but more limited, patch was required). 
     </p>
     
+    <warning>
+      For security purposes, enabling friendly URLs implies that pages are no 
longer
+      accessible via their ugly URL counterpart. This is not the case. If a 
malevolent user
+      can either guess - or via cookies identify - your servlet path, they can 
construct an
+      ugly URL to a resource that is protected via security and gain access to 
the protected
+      resource.
+    </warning>
     <p>
     Friendly URLs are divided into two concerns:
     </p>



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]