[richfaces-issues] [JBoss JIRA] Created: (RF-4043) Richfaces doesn't encodeURL links to most a4j_3_2_1-SNAPSHOT resources

Stephen Kinser (JIRA) jira-events at lists.jboss.org
Mon Jul 28 19:28:52 EDT 2008 

Richfaces doesn't encodeURL links to most a4j_3_2_1-SNAPSHOT resources
----------------------------------------------------------------------

                 Key: RF-4043
                 URL: https://jira.jboss.org/jira/browse/RF-4043
             Project: RichFaces
          Issue Type: Bug
    Affects Versions: 3.2.1
         Environment: SUSE Linux 10.2
Firefox 3.0.1

            Reporter: Stephen Kinser


Here's an http session as reported by livehttpheaders:

GET /console2/
GET /console2/j_security_check;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724?j_password=AAAACGtpbnNlcnNoAAAACTEyNy4wLjAuMQAAABTJXEus6ptOSJJLMmzTVnlXbf46nw%3D%3D&j_username=kinsersh
GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/style.css;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/script/processEffect.js.xhtml
GET /console2/images/mozilla_blu.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/images/fatal.png;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/images/logolarge.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724

See that jsessionid is not included for links to /a4j_3_2_1-SNAPSHOT* content, except for .xcss content. The end result is that session tracking doesn't work for these resources, which isn't much of a concern unless a blanket security constraint for *.xhtml is in place and cookie tracking is disabled. The workaround is for me to explicitly secure JSF pages and leave /a4j_3_2_1-SNAPSHOT* content public.

Here's content in the <head> section of my project's index.xhtml page:

  <link rel='stylesheet' class='component' type='text/css' href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><link rel='stylesheet' class='component' type='text/css' href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><link rel='stylesheet' class='user' type='text/css' href='style.css;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml'></script>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the richfaces-issues mailing list