[richfaces-issues] [JBoss JIRA] Commented: (RF-3586) URLs of resources are not predictable

URLs of resources are not predictable ------------------------------------- Key: RF-3586 URL: https://jira.jboss.org/jira/browse/RF-3586 Project: RichFaces Issue Type: Bug Components: docs updated, planning_all Affects Versions: 3.1.4, 3.1.5, 3.2.0 Reporter: Olivier Martin Assignee: Tsikhon Kuprevich Priority: Blocker Fix For: 3.3.0 Original Estimate: 1 day, 4 hours Remaining Estimate: 1 day, 4 hours The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world. When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters. For instance the following URL has several problems : a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode() ?!! * The part "eAF7P..bLgAIQwM." contains ".."' characters Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.