[
https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin...
]
Olivier Martin commented on RF-3586:
------------------------------------
1. Doesn't work in clustered environments
Does that mean we won't be able to use RichFaces in a clustered environment ?
What type of cluster ?
- affinity based
- session reclication based
URLs of resources are not predictable
-------------------------------------
Key: RF-3586
URL:
https://jira.jboss.org/jira/browse/RF-3586
Project: RichFaces
Issue Type: Bug
Components: docs updated, planning_all
Affects Versions: 3.1.4, 3.1.5, 3.2.0
Reporter: Olivier Martin
Assignee: Tsikhon Kuprevich
Priority: Blocker
Fix For: 3.3.0
Original Estimate: 1 day, 4 hours
Remaining Estimate: 1 day, 4 hours
The way RichFaces generates URLs for the scripts and styles is incompatible with security
restrictions in a corporate world.
When applications are deployed in production, the list of the URLs it uses has to be
known : the Firewalls are configured with this "white-list" and a
"black-list" forbidding URLs with ".." characters.
For instance the following URL has several problems :
a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces
* The prefix "a4j_3_1_5.GA" can be configured, but usually the projects
don't bother to do it, thus this part is gonna change with each RichFaces release
* The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the
object SkinImpl.hashcode() ?!!
* The part "eAF7P..bLgAIQwM." contains ".."' characters
Overall we had to bypass the usual security restrictions to put an application in
production, this is unacceptable.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira