[richfaces-issues] [JBoss JIRA] Resolved: (RF-4043) Richfaces doesn't encodeURL links to most a4j_3_2_1-SNAPSHOT resources
[
https://jira.jboss.org/jira/browse/RF-4043?page=com.atlassian.jira.plugin...
]
Nick Belaevski resolved RF-4043.
--------------------------------
Resolution: Won't Fix
Assignee: Tsikhon Kuprevich (was: Nick Belaevski)
Use new context parameters to separate session-aware and not resources
Richfaces doesn't encodeURL links to most a4j_3_2_1-SNAPSHOT
resources
----------------------------------------------------------------------
Key: RF-4043
URL: https://jira.jboss.org/jira/browse/RF-4043
Project: RichFaces
Issue Type: Bug
Affects Versions: 3.2.1
Environment: SUSE Linux 10.2
Firefox 3.0.1
Reporter: Stephen Kinser
Assignee: Tsikhon Kuprevich
Fix For: 3.2.2
Here's an http session as reported by livehttpheaders:
GET /console2/
GET
/console2/j_security_check;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724?j_password=AAAACGtpbnNlcnNoAAAACTEyNy4wLjAuMQAAABTJXEus6ptOSJJLMmzTVnlXbf46nw%3D%3D&j_username=kinsersh
GET
/console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/style.css;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml
GET
/console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml
GET
/console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/script/processEffect.js.xhtml
GET /console2/images/mozilla_blu.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/images/fatal.png;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/images/logolarge.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
See that jsessionid is not included for links to /a4j_3_2_1-SNAPSHOT* content, except for
.xcss content. The end result is that session tracking using urls is disabled for these
resources. This is a concern when a blanket security constraint for *.xhtml is in place
and cookie session tracking is disabled. In this case these requests are never fulfilled
because the container is not able to associate these requests with an already
authenticated session. The workaround is for me to explicitly secure my JSF pages and
leave /a4j_3_2_1-SNAPSHOT* content public. This is a fairly good workaround, but I still
expect richfaces to encodeURL all of its links.
Here's content in the <head> section of my project's index.xhtml page (from
firefox's View Source):
<link rel='stylesheet' class='component' type='text/css'
href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E'
/><link rel='stylesheet' class='component' type='text/css'
href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E'
/><link rel='stylesheet' class='user' type='text/css'
href='style.css;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><script
type='text/javascript'
src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml'></script><script
type='text/javascript'
src='a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml'></script><script
type='text/javascript'
src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml'></script><script
type='text/javascript'
src='a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml'></script>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira