[JBoss JIRA] Created: (RF-3586) URLs of resources are not predictable

[JBoss JIRA] Created: (RF-4789)...

[JBoss JIRA] Created: (RF-4587)...

Olivier Martin (JIRA)

Thursday, 29 May 2008 Thu, 29 May '08

3:38 a.m.

URLs of resources are not predictable ------------------------------------- Key: RF-3586 URL: http://jira.jboss.com/jira/browse/RF-3586 Project: RichFaces Issue Type: Bug Affects Versions: 3.2.0, 3.1.5, 3.1.4 Reporter: Olivier Martin The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world. When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters. For instance the following URL has several problems : a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode() ?!! * The part "eAF7P..bLgAIQwM." contains ".."' characters Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

Show replies by date

Nick Belaevski (JIRA)

Thursday, 29 May Thu, 29 May

5:33 a.m.

New subject: [JBoss JIRA] Updated: (RF-3586) URLs of resources are not predictable

[ http://jira.jboss.com/jira/browse/RF-3586?page=all ] Nick Belaevski updated RF-3586: ------------------------------- Fix Version/s: 3.2.2 Assignee: Alexander Smirnov

...

URLs of resources are not predictable ------------------------------------- Key: RF-3586 URL: http://jira.jboss.com/jira/browse/RF-3586 Project: RichFaces Issue Type: Bug Affects Versions: 3.2.0, 3.1.4, 3.1.5 Reporter: Olivier Martin Assigned To: Alexander Smirnov Fix For: 3.2.2 The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world. When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters. For instance the following URL has several problems : a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode() ?!! * The part "eAF7P..bLgAIQwM." contains ".."' characters Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.

-- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

Nick Belaevski (JIRA)

Monday, 28 July Mon, 28 Jul

1:08 p.m.

New subject: [JBoss JIRA] Assigned: (RF-3586) URLs of resources are not predictable

[ https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin... ] Nick Belaevski reassigned RF-3586: ---------------------------------- Assignee: Nick Belaevski (was: Alexander Smirnov)

...

URLs of resources are not predictable ------------------------------------- Key: RF-3586 URL: https://jira.jboss.org/jira/browse/RF-3586 Project: RichFaces Issue Type: Bug Affects Versions: 3.1.4, 3.1.5, 3.2.0 Reporter: Olivier Martin Assignee: Nick Belaevski Fix For: 3.2.2 The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world. When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters. For instance the following URL has several problems : a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode() ?!! * The part "eAF7P..bLgAIQwM." contains ".."' characters Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.

-- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

Nick Belaevski (JIRA)

Wednesday, 30 July Wed, 30 Jul

11:27 a.m.

New subject: [JBoss JIRA] Commented: (RF-3586) URLs of resources are not predictable

[ https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin... ] Nick Belaevski commented on RF-3586: ------------------------------------ Now resources prefix will be a4j/versionXXX instead a4j_versionXXX Base64 encoder changed to use '!' instead of '.'

...

Nick Belaevski (JIRA)

11:29 a.m.

New subject: [JBoss JIRA] Updated: (RF-3586) URLs of resources are not predictable

[ https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin... ] Nick Belaevski updated RF-3586: ------------------------------- Affects: [Documentation (Ref Guide, User Guide, etc.)]

...

Nick Belaevski (JIRA)

11:29 a.m.

New subject: [JBoss JIRA] Resolved: (RF-3586) URLs of resources are not predictable

...

URLs of resources are not predictable ------------------------------------- Key: RF-3586 URL: https://jira.jboss.org/jira/browse/RF-3586 Project: RichFaces Issue Type: Bug Affects Versions: 3.1.4, 3.1.5, 3.2.0 Reporter: Olivier Martin Assignee: Tsikhon Kuprevich Fix For: 3.2.2 The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world. When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters. For instance the following URL has several problems : a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode() ?!! * The part "eAF7P..bLgAIQwM." contains ".."' characters Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.

Svetlana mukhina (JIRA)

Thursday, 31 July Thu, 31 Jul

9:29 a.m.

New subject: [JBoss JIRA] Updated: (RF-3586) URLs of resources are not predictable

[ https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin... ] Svetlana mukhina updated RF-3586: --------------------------------- Component/s: docs updated

...

URLs of resources are not predictable ------------------------------------- Key: RF-3586 URL: https://jira.jboss.org/jira/browse/RF-3586 Project: RichFaces Issue Type: Bug Components: docs updated Affects Versions: 3.1.4, 3.1.5, 3.2.0 Reporter: Olivier Martin Assignee: Tsikhon Kuprevich Fix For: 3.2.2 The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world. When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters. For instance the following URL has several problems : a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode() ?!! * The part "eAF7P..bLgAIQwM." contains ".."' characters Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.

Mikhail Vitenkov (JIRA)

Friday, 5 September Fri, 5 Sep

8:50 a.m.

New subject: [JBoss JIRA] Closed: (RF-3586) URLs of resources are not predictable

[ https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin... ] Mikhail Vitenkov closed RF-3586. -------------------------------- Assignee: Mikhail Vitenkov (was: Tsikhon Kuprevich) Verified at 3.2.2.CR3

...

URLs of resources are not predictable ------------------------------------- Key: RF-3586 URL: https://jira.jboss.org/jira/browse/RF-3586 Project: RichFaces Issue Type: Bug Components: docs updated Affects Versions: 3.1.4, 3.1.5, 3.2.0 Reporter: Olivier Martin Assignee: Mikhail Vitenkov Fix For: 3.2.2 The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world. When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters. For instance the following URL has several problems : a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode() ?!! * The part "eAF7P..bLgAIQwM." contains ".."' characters Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.

Olivier Martin (JIRA)

Monday, 17 November Mon, 17 Nov

8:15 a.m.

New subject: [JBoss JIRA] Reopened: (RF-3586) URLs of resources are not predictable

[ https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin... ] Olivier Martin reopened RF-3586: -------------------------------- The proposed solution does not solve the issue, since the ! character is reserved by the W3C RFC on URIs : http://www.faqs.org/rfcs/rfc1630.html I'm going to be more precise about this issue, since a lot of our projects are being denied to go into production by the security department because of the URIs auto-generated by RichFaces. (in fact the original fix still does not solve the main issue here : the URLs are *NOT* predictible). Before going into the details I would like to insist on the fact that many people are going to face the same issue here when developing in a corporate environment, there are rules and generating the URLs dynamically like this should be avoided. We will probably end up extracting and including the ressources by hand, which will allow us to control how they are cached anyway. -> The white list pattern is something I've seen a lot : everything is forbidden unless explicitely specified ! --- The details --- URIs must comply to those RFC : http://www.faqs.org/rfcs/rfc1630.html http://www.faqs.org/rfcs/rfc1738.html http://www.faqs.org/rfcs/rfc1808.html http://www.faqs.org/rfcs/rfc2396.html http://www.faqs.org/rfcs/rfc3986.html More client specific rules : - For directories, allowed characters are : 'a-z', 'A-Z', '0-9', '%', '_', '-' - For file names, allowed are : 'a-z', 'A-Z', '0-9', '%', '_', '-', '.' (for extension), '=', '?' - No multiple '/' or '.' - No unicode - No path depth > 8 etc...

...

URLs of resources are not predictable ------------------------------------- Key: RF-3586 URL: https://jira.jboss.org/jira/browse/RF-3586 Project: RichFaces Issue Type: Bug Components: docs updated Affects Versions: 3.1.4, 3.1.5, 3.2.0 Reporter: Olivier Martin Assignee: Mikhail Vitenkov Fix For: 3.2.2 The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world. When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters. For instance the following URL has several problems : a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode() ?!! * The part "eAF7P..bLgAIQwM." contains ".."' characters Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.

Olivier Martin (JIRA)

8:17 a.m.

New subject: [JBoss JIRA] Updated: (RF-3586) URLs of resources are not predictable

[ https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin... ] Olivier Martin updated RF-3586: ------------------------------- Priority: Blocker (was: Major)

...

URLs of resources are not predictable ------------------------------------- Key: RF-3586 URL: https://jira.jboss.org/jira/browse/RF-3586 Project: RichFaces Issue Type: Bug Components: docs updated Affects Versions: 3.1.4, 3.1.5, 3.2.0 Reporter: Olivier Martin Assignee: Mikhail Vitenkov Priority: Blocker Fix For: 3.2.2 The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world. When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters. For instance the following URL has several problems : a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode() ?!! * The part "eAF7P..bLgAIQwM." contains ".."' characters Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.

Nick Belaevski (JIRA)

Friday, 21 November Fri, 21 Nov

6:51 a.m.

New subject: [JBoss JIRA] Updated: (RF-3586) URLs of resources are not predictable

[ https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin... ] Nick Belaevski updated RF-3586: ------------------------------- Fix Version/s: 3.3.0 (was: 3.2.2) Assignee: Nick Belaevski (was: Mikhail Vitenkov)

...

URLs of resources are not predictable ------------------------------------- Key: RF-3586 URL: https://jira.jboss.org/jira/browse/RF-3586 Project: RichFaces Issue Type: Bug Components: docs updated Affects Versions: 3.1.4, 3.1.5, 3.2.0 Reporter: Olivier Martin Assignee: Nick Belaevski Priority: Blocker Fix For: 3.3.0 The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world. When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters. For instance the following URL has several problems : a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode() ?!! * The part "eAF7P..bLgAIQwM." contains ".."' characters Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.

Nick Belaevski (JIRA)

Sunday, 23 November Sun, 23 Nov

3:21 p.m.

New subject: [JBoss JIRA] Updated: (RF-3586) URLs of resources are not predictable

[ https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin... ] Nick Belaevski updated RF-3586: ------------------------------- Original Estimate: 1 day, 4 hours Remaining Estimate: 1 day, 4 hours Component/s: planning_all Due Date: 30/Nov/08

...

URLs of resources are not predictable ------------------------------------- Key: RF-3586 URL: https://jira.jboss.org/jira/browse/RF-3586 Project: RichFaces Issue Type: Bug Components: docs updated, planning_all Affects Versions: 3.1.4, 3.1.5, 3.2.0 Reporter: Olivier Martin Assignee: Nick Belaevski Priority: Blocker Fix For: 3.3.0 Original Estimate: 1 day, 4 hours Remaining Estimate: 1 day, 4 hours The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world. When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters. For instance the following URL has several problems : a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode() ?!! * The part "eAF7P..bLgAIQwM." contains ".."' characters Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.

Nick Belaevski (JIRA)

Wednesday, 26 November Wed, 26 Nov

1:16 p.m.

New subject: [JBoss JIRA] Work started: (RF-3586) URLs of resources are not predictable

[ https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin... ] Work on RF-3586 started by Nick Belaevski.

...

URLs of resources are not predictable ------------------------------------- Key: RF-3586 URL: https://jira.jboss.org/jira/browse/RF-3586 Project: RichFaces Issue Type: Bug Components: docs updated, planning_all Affects Versions: 3.1.4, 3.1.5, 3.2.0 Reporter: Olivier Martin Assignee: Nick Belaevski Priority: Blocker Fix For: 3.3.0 Original Estimate: 1 day, 4 hours Remaining Estimate: 1 day, 4 hours The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world. When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters. For instance the following URL has several problems : a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode() ?!! * The part "eAF7P..bLgAIQwM." contains ".."' characters Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.

Nick Belaevski (JIRA)

Friday, 28 November Fri, 28 Nov

1:19 p.m.

New subject: [JBoss JIRA] Work stopped: (RF-3586) URLs of resources are not predictable

[ https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin... ] Work on RF-3586 stopped by Nick Belaevski.

...

URLs of resources are not predictable ------------------------------------- Key: RF-3586 URL: https://jira.jboss.org/jira/browse/RF-3586 Project: RichFaces Issue Type: Bug Components: docs updated, planning_all Affects Versions: 3.1.4, 3.1.5, 3.2.0 Reporter: Olivier Martin Assignee: Nick Belaevski Priority: Blocker Fix For: 3.3.0 Original Estimate: 1 day, 4 hours Remaining Estimate: 1 day, 4 hours The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world. When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters. For instance the following URL has several problems : a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode() ?!! * The part "eAF7P..bLgAIQwM." contains ".."' characters Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.

Nick Belaevski (JIRA)

2:24 p.m.

New subject: [JBoss JIRA] Resolved: (RF-3586) URLs of resources are not predictable

[ https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin... ] Nick Belaevski resolved RF-3586. -------------------------------- Resolution: Done Assignee: Tsikhon Kuprevich (was: Nick Belaevski) org.ajax4jsf.resource.cached.CachedResourceBuilder has been committed. Here is the excerpt from JavaDoc: This class is intended to generate predictable URIs for all resources handled by RichFaces. It creates mapping between resource key/data value and generated random string of known format for all resource requests. By default UUID.toString() is used. Mapping is maintained by LRU map having default capacity of 10000 so be aware that stale entries can be removed and application users will get errors then. How to use: add to application classpath META-INF/services/org.ajax4jsf.resource.InternetResourceBuilder file with the following content org.ajax4jsf.resource.cached.CachedResourceBuilder Limitations: 1. Doesn't work in clustered environments 2. All resource URIs become invalid after server restart that can cause cache issues 3. Diagnostic of resource loading errors becomes somewhat harder. Variant of code where random key is appended to resource name doesn't satisfy the requirement of no path depth > 8 as requested by users (see RF-3586 for more info)

...

URLs of resources are not predictable ------------------------------------- Key: RF-3586 URL: https://jira.jboss.org/jira/browse/RF-3586 Project: RichFaces Issue Type: Bug Components: docs updated, planning_all Affects Versions: 3.1.4, 3.1.5, 3.2.0 Reporter: Olivier Martin Assignee: Tsikhon Kuprevich Priority: Blocker Fix For: 3.3.0 Original Estimate: 1 day, 4 hours Remaining Estimate: 1 day, 4 hours The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world. When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters. For instance the following URL has several problems : a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode() ?!! * The part "eAF7P..bLgAIQwM." contains ".."' characters Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.

Nick Belaevski (JIRA)

2:24 p.m.

New subject: [JBoss JIRA] Commented: (RF-3586) URLs of resources are not predictable

[ https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin... ] Nick Belaevski commented on RF-3586: ------------------------------------ This class is intended to generate predictable URIs for all resources handled by RichFaces. It creates mapping between resource key/data value and generated random string of known format for all resource requests. By default UUID.toString() is used. Mapping is maintained by LRU map having default capacity of 10000 so be aware that stale entries can be removed and application users will get errors then. How to use: add to application classpath META-INF/services/org.ajax4jsf.resource.InternetResourceBuilder file with the following content org.ajax4jsf.resource.cached.CachedResourceBuilder Limitations: 1. Doesn't work in clustered environments 2. All resource URIs become invalid after server restart that can cause cache issues 3. Diagnostic of resource loading errors becomes somewhat harder. Variant of code where random key is appended to resource name doesn't satisfy the requirement of no path depth > 8 as requested by users (see RF-3586 for more info)

...

URLs of resources are not predictable ------------------------------------- Key: RF-3586 URL: https://jira.jboss.org/jira/browse/RF-3586 Project: RichFaces Issue Type: Bug Components: docs updated, planning_all Affects Versions: 3.1.4, 3.1.5, 3.2.0 Reporter: Olivier Martin Assignee: Tsikhon Kuprevich Priority: Blocker Fix For: 3.3.0 Original Estimate: 1 day, 4 hours Remaining Estimate: 1 day, 4 hours The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world. When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters. For instance the following URL has several problems : a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode() ?!! * The part "eAF7P..bLgAIQwM." contains ".."' characters Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.

Olivier Martin (JIRA)

Tuesday, 2 December Tue, 2 Dec

10:34 a.m.

New subject: [JBoss JIRA] Commented: (RF-3586) URLs of resources are not predictable

[ https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin... ] Olivier Martin commented on RF-3586: ------------------------------------

...

1. Doesn't work in clustered environments

Does that mean we won't be able to use RichFaces in a clustered environment ? What type of cluster ? - affinity based - session reclication based

...

URLs of resources are not predictable ------------------------------------- Key: RF-3586 URL: https://jira.jboss.org/jira/browse/RF-3586 Project: RichFaces Issue Type: Bug Components: docs updated, planning_all Affects Versions: 3.1.4, 3.1.5, 3.2.0 Reporter: Olivier Martin Assignee: Tsikhon Kuprevich Priority: Blocker Fix For: 3.3.0 Original Estimate: 1 day, 4 hours Remaining Estimate: 1 day, 4 hours The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world. When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters. For instance the following URL has several problems : a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode() ?!! * The part "eAF7P..bLgAIQwM." contains ".."' characters Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.

Nick Belaevski (JIRA)

Monday, 8 December Mon, 8 Dec

11:48 a.m.

New subject: [JBoss JIRA] Commented: (RF-3586) URLs of resources are not predictable

[ https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin... ] Nick Belaevski commented on RF-3586: ------------------------------------ This solution will work for session-aware clusters, i.e. for configurations when all requests from particular client are handled by particular cluster node.

...

URLs of resources are not predictable ------------------------------------- Key: RF-3586 URL: https://jira.jboss.org/jira/browse/RF-3586 Project: RichFaces Issue Type: Bug Components: docs updated, planning_all Affects Versions: 3.1.4, 3.1.5, 3.2.0 Reporter: Olivier Martin Assignee: Tsikhon Kuprevich Priority: Blocker Fix For: 3.3.0 Original Estimate: 1 day, 4 hours Remaining Estimate: 1 day, 4 hours The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world. When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters. For instance the following URL has several problems : a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode() ?!! * The part "eAF7P..bLgAIQwM." contains ".."' characters Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.

Tsikhon Kuprevich (JIRA)

Friday, 9 January Fri, 9 Jan

8:47 a.m.

New subject: [JBoss JIRA] Closed: (RF-3586) URLs of resources are not predictable

[ https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin... ] Tsikhon Kuprevich closed RF-3586. ---------------------------------

...

URLs of resources are not predictable ------------------------------------- Key: RF-3586 URL: https://jira.jboss.org/jira/browse/RF-3586 Project: RichFaces Issue Type: Bug Components: docs updated, planning_all Affects Versions: 3.1.4, 3.1.5, 3.2.0 Reporter: Olivier Martin Assignee: Tsikhon Kuprevich Priority: Blocker Fix For: 3.3.0 Original Estimate: 1 day, 4 hours Remaining Estimate: 1 day, 4 hours The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world. When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters. For instance the following URL has several problems : a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode() ?!! * The part "eAF7P..bLgAIQwM." contains ".."' characters Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.

5807

days inactive

6032

days old

richfaces-issues@lists.jboss.org

Manage subscription

18 comments

5 participants

tags (0)

participants (5)

Mikhail Vitenkov (JIRA)
Nick Belaevski (JIRA)
Olivier Martin (JIRA)
Svetlana mukhina (JIRA)
Tsikhon Kuprevich (JIRA)

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

[JBoss JIRA] Created: (RF-3586) URLs of resources are not predictable