Hello everybody We've successfully developed and deployed a payment manager application written in Tapestry 5.1 The system with application is PCI certified. This requires a periodic vulnerability scan by a PCI scanning vendor. Basically the scanning vendor use Nessus to throw all kinds of requests at the app to potentially idenitfy known vulnerabilities on a system.
The problem or annoyance we have is that the tapestry app has to deal with all kinds of arbitrary requests resulting in server errors (500s). We would much rather return 404s. We have 2 kinds of request that bother us: 1) requests like "/login.asp?blahbalh" or "/login.htm" etc. Tapestry does not like it: org.apache.tapestry5.ioc.internal.util.TapestryException: Component Login does not contain an embedded component with id 'htm'. We have a page Login.class with a form on so requests like '/login' and '/login.form' is handled as expected but not the likes of "/login.cgi" 2) requests like "/cgi/wsisa.dll/WService=wsbroker1/webtools/oscommand.w" or "/cgi/go.cgi|id|" (that is probably against the HTTP spec?) Tapestry does not like it: java.lang.IllegalArgumentException: Input string 'WService=wsbroker1' is not valid; the character '=' at position 9 is not valid. at org.apache.tapestry5.internal.services.URLEncoderImpl.decode(URLEncoderImpl.java:143) I guess that one could catch these exceptions on the ExceptionReport page and then do some custom 404 thing, but it would be much nicer to prevent these exceptions form happening in the first place. Any ideas? Thanks Mike --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org