[richfaces-issues] [JBoss JIRA] Created: (RF-4043) Richfaces doesn't encodeURL links to most a4j_3_2_1-SNAPSHOT resources
Stephen Kinser (JIRA)
jira-events at lists.jboss.org
Mon Jul 28 19:28:52 EDT 2008
Richfaces doesn't encodeURL links to most a4j_3_2_1-SNAPSHOT resources
----------------------------------------------------------------------
Key: RF-4043
URL: https://jira.jboss.org/jira/browse/RF-4043
Project: RichFaces
Issue Type: Bug
Affects Versions: 3.2.1
Environment: SUSE Linux 10.2
Firefox 3.0.1
Reporter: Stephen Kinser
Here's an http session as reported by livehttpheaders:
GET /console2/
GET /console2/j_security_check;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724?j_password=AAAACGtpbnNlcnNoAAAACTEyNy4wLjAuMQAAABTJXEus6ptOSJJLMmzTVnlXbf46nw%3D%3D&j_username=kinsersh
GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/style.css;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/script/processEffect.js.xhtml
GET /console2/images/mozilla_blu.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/images/fatal.png;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/images/logolarge.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
See that jsessionid is not included for links to /a4j_3_2_1-SNAPSHOT* content, except for .xcss content. The end result is that session tracking doesn't work for these resources, which isn't much of a concern unless a blanket security constraint for *.xhtml is in place and cookie tracking is disabled. The workaround is for me to explicitly secure JSF pages and leave /a4j_3_2_1-SNAPSHOT* content public.
Here's content in the <head> section of my project's index.xhtml page:
<link rel='stylesheet' class='component' type='text/css' href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><link rel='stylesheet' class='component' type='text/css' href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><link rel='stylesheet' class='user' type='text/css' href='style.css;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml'></script>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the richfaces-issues
mailing list