<div dir="ltr">><span style="font-family:arial,sans-serif;font-size:13px"> it might work, although I’m not sure if this is the best solution “on the market”.</span><div><font face="arial, sans-serif">It may not be the best solution and feel free to ignore it. </font></div>
<div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif"><br></font></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 25 July 2014 12:55, Tadeas Kriz <span dir="ltr"><<a href="mailto:tkriz@redhat.com" target="_blank">tkriz@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><br><div>
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><div>—</div><div>Tadeas Kriz</div></div>
</div>
<br><div><div class=""><div>On 25 Jul 2014, at 12:38 pm, Daniel Bevenius <<a href="mailto:daniel.bevenius@gmail.com" target="_blank">daniel.bevenius@gmail.com</a>> wrote:</div><br><blockquote type="cite"><div dir="ltr">
><span style="font-family:arial,sans-serif;font-size:13px">What do you mean by that regex?</span><div><span style="font-family:arial,sans-serif;font-size:13px">That the JAXRS implementation should not disallow as '/' in the path. </span></div>
</div></blockquote><div><br></div></div><div>Well, if it was like:</div><div><br></div><div>```</div><div>DELETE /rest/registry/installation/<a href="http://localhost:8321/asdasd" target="_blank">http://localhost:8321/asdasd</a></div>
<div>```</div><div><br></div><div>and the token you showed would match all the characters (which means that the `String token` would become `<a href="http://localhost:8321/asdasd" target="_blank">http://localhost:8321/asdasd</a>` in the endpoint method), it might work, although I’m not sure if this is the best solution “on the market”.</div>
<div class=""><br><blockquote type="cite"><div dir="ltr">
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">></span><span style="font-family:arial,sans-serif;font-size:13px">The problem is simply the “%2F” in the token (which is an URLencoded simplepush url) and it’s being revoked long before it hits the RestEasy (which does the routing according to what’s in the @Path).</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px">I guess I don't understand why this would be revoked by anything before it hits the JAXRS implementation, but if that is the case you are right and adding this would not help.</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div></div></blockquote><div><br></div></div><div>This was a solution for a security hole. As I understand it, on linux, scripts cannot tell difference between “/“ and “%2F” and because of that, it’s forbidden to use as a path parameter (at least on Tomcat).</div>
<div><div class="h5"><br><blockquote type="cite"><div dir="ltr"><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br>
</span></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 25 July 2014 12:25, Tadeas Kriz <span dir="ltr"><<a href="mailto:tkriz@redhat.com" target="_blank">tkriz@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><br><div>
<div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word"><div>—</div><div>Tadeas Kriz</div></div>
</div>
<br><div><div><div>On 25 Jul 2014, at 11:04 am, Daniel Bevenius <<a href="mailto:daniel.bevenius@gmail.com" target="_blank">daniel.bevenius@gmail.com</a>> wrote:</div><br><blockquote type="cite"><div dir="ltr">
><span style="font-family:arial,sans-serif;font-size:13px">5. don’t use the url as a deviceToken (might not comply with Mozzila’s SimplePush specs)</span><div><span style="font-family:arial,sans-serif;font-size:13px">The deviceToken is an UPS concept and there is nothing in the SimplePush spec which is violated in this case. </span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div></div></blockquote></div><div>I thought that deviceTokens were changed from a generated value to the URL just to comply with Mozzila’s SimplePush specs. Matzew, why was the generated token removed then?</div>
<div><br><blockquote type="cite"><div dir="ltr"><div><span style="font-family:arial,sans-serif;font-size:13px">I'm not sure about what the best option is for UPS thought. Would a regex in for the @Path annotation work perhaps, something like:</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"> </span></div><div><div><font face="arial, sans-serif">@DELETE</font></div><div><font face="arial, sans-serif">@Path("{token, .+}")</font></div>
<div><font face="arial, sans-serif">public Response unregisterInstallations(</font></div></div></div><div class="gmail_extra"><br></div></blockquote><div><br></div></div><div>What do you mean by that regex? The problem is simply the “%2F” in the token (which is an URLencoded simplepush url) and it’s being revoked long before it hits the RestEasy (which does the routing according to what’s in the @Path).</div>
<div><div><br><blockquote type="cite"><div class="gmail_extra"><br><div class="gmail_quote">On 25 July 2014 10:32, Tadeas Kriz <span dir="ltr"><<a href="mailto:tkriz@redhat.com" target="_blank">tkriz@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
—<br>
Tadeas Kriz<br>
<br>
On 24 Jul 2014, at 05:44 pm, Karel Piwko <<a href="mailto:kpiwko@redhat.com" target="_blank">kpiwko@redhat.com</a>> wrote:<br>
<br>
> On Thu, Jul 24, 2014 at 3:28 PM, Tadeas Kriz <<a href="mailto:tkriz@redhat.com" target="_blank">tkriz@redhat.com</a>> wrote:<br>
>><br>
>> It should not. For hibernate, it’s just a string like any other.<br>
>> The problem might be in the configuration of <a href="http://jax.rs/RestEasy" target="_blank">JAX.RS/RestEasy</a>. If<br>
>> I’ll have some time today evening, I’ll try to fix it, it should<br>
>> be an easy fix.<br>
><br>
> Last famous words? ;-)<br>
><br>
<br>
I shall never say “an easy fix” again.<br>
<br>
> But I agree. Everything is string and URL encode should happen on<br>
> client while server should automatically decode and work always with<br>
> just decoded string. If we need to encode twice, something is wrong.<br>
><br>
<br>
Anyway, the 400 Bad request response is made by the tomcat itself, disallowing the use of %2F as a path parameter. This will probably apply on other web containers.<br>
<br>
Possible solutions with their disadvantages:<br>
<br>
1. well-documented double-encoding of the URL (might be confusing)<br>
2. use @QueryParam instead of @PathParam (breaks the api consistence, as every other call would still use @PathParam)<br>
3. allow @QueryParam (again, breaks the api consistence, but only for the SimplePush)<br>
4. find another encoding (Base64 for URL = URLEncode then Base64 encode)<br>
5. don’t use the url as a deviceToken (might not comply with Mozzila’s SimplePush specs)<br>
<br>
What do you think guys?<br>
<br>
>><br>
>><br>
><br>
><br>
> _______________________________________________<br>
> aerogear-dev mailing list<br>
> <a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
<br>
<br>
_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br>
</blockquote></div><br></div>
_______________________________________________<br>aerogear-dev mailing list<br><a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></blockquote>
</div></div></div><br></div><br>_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote></div><br></div>
_______________________________________________<br>aerogear-dev mailing list<br><a href="mailto:aerogear-dev@lists.jboss.org" target="_blank">aerogear-dev@lists.jboss.org</a><br><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></blockquote>
</div></div></div><br></div><br>_______________________________________________<br>
aerogear-dev mailing list<br>
<a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a><br></blockquote></div><br></div>