[
https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin...
]
Nick Belaevski resolved RF-3586.
--------------------------------
Resolution: Done
Assignee: Tsikhon Kuprevich (was: Nick Belaevski)
org.ajax4jsf.resource.cached.CachedResourceBuilder has been committed. Here is the excerpt
from JavaDoc:
This class is intended to generate predictable URIs for all resources handled by
RichFaces. It creates mapping between resource key/data value and generated random string
of known format for all resource requests. By default UUID.toString() is used. Mapping is
maintained by LRU map having default capacity of 10000 so be aware that stale entries can
be removed and application users will get errors then. How to use: add to application
classpath META-INF/services/org.ajax4jsf.resource.InternetResourceBuilder file with the
following content org.ajax4jsf.resource.cached.CachedResourceBuilder
Limitations:
1. Doesn't work in clustered environments
2. All resource URIs become invalid after server restart that can cause cache issues
3. Diagnostic of resource loading errors becomes somewhat harder. Variant of code where
random key is appended to resource name doesn't satisfy the requirement of no path
depth > 8 as requested by users (see RF-3586 for more info)
URLs of resources are not predictable
-------------------------------------
Key: RF-3586
URL:
https://jira.jboss.org/jira/browse/RF-3586
Project: RichFaces
Issue Type: Bug
Components: docs updated, planning_all
Affects Versions: 3.1.4, 3.1.5, 3.2.0
Reporter: Olivier Martin
Assignee: Tsikhon Kuprevich
Priority: Blocker
Fix For: 3.3.0
Original Estimate: 1 day, 4 hours
Remaining Estimate: 1 day, 4 hours
The way RichFaces generates URLs for the scripts and styles is incompatible with security
restrictions in a corporate world.
When applications are deployed in production, the list of the URLs it uses has to be
known : the Firewalls are configured with this "white-list" and a
"black-list" forbidding URLs with ".." characters.
For instance the following URL has several problems :
a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces
* The prefix "a4j_3_1_5.GA" can be configured, but usually the projects
don't bother to do it, thus this part is gonna change with each RichFaces release
* The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the
object SkinImpl.hashcode() ?!!
* The part "eAF7P..bLgAIQwM." contains ".."' characters
Overall we had to bypass the usual security restrictions to put an application in
production, this is unacceptable.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira