[richfaces-issues] [JBoss JIRA] Updated: (RF-4043) Richfaces doesn't encodeURL links to most a4j_3_2_1-SNAPSHOT resources

Stephen Kinser (JIRA) jira-events at lists.jboss.org
Mon Jul 28 19:32:52 EDT 2008 

     [ https://jira.jboss.org/jira/browse/RF-4043?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stephen Kinser updated RF-4043:
-------------------------------

    Description: 
Here's an http session as reported by livehttpheaders:

GET /console2/
GET /console2/j_security_check;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724?j_password=AAAACGtpbnNlcnNoAAAACTEyNy4wLjAuMQAAABTJXEus6ptOSJJLMmzTVnlXbf46nw%3D%3D&j_username=kinsersh
GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/style.css;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/script/processEffect.js.xhtml
GET /console2/images/mozilla_blu.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/images/fatal.png;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/images/logolarge.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724

See that jsessionid is not included for links to /a4j_3_2_1-SNAPSHOT* content, except for .xcss content. The end result is that session tracking using urls is disabled for these resources. This is a concern when a blanket security constraint for *.xhtml is in place and cookie session tracking is disabled. In this case these requests are never fulfilled because the container is not able to associate these requests with an already authenticated session. The workaround is for me to explicitly secure my JSF pages and leave /a4j_3_2_1-SNAPSHOT* content public. This is a fairly good workaround, but I still expect richfaces to encodeURL all of its links.

Here's content in the <head> section of my project's index.xhtml page (from firefox's View Source):

  <link rel='stylesheet' class='component' type='text/css' href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><link rel='stylesheet' class='component' type='text/css' href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><link rel='stylesheet' class='user' type='text/css' href='style.css;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml'></script>

  was:
Here's an http session as reported by livehttpheaders:

GET /console2/
GET /console2/j_security_check;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724?j_password=AAAACGtpbnNlcnNoAAAACTEyNy4wLjAuMQAAABTJXEus6ptOSJJLMmzTVnlXbf46nw%3D%3D&j_username=kinsersh
GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/style.css;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml
GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/script/processEffect.js.xhtml
GET /console2/images/mozilla_blu.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/images/fatal.png;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
GET /console2/images/logolarge.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724

See that jsessionid is not included for links to /a4j_3_2_1-SNAPSHOT* content, except for .xcss content. The end result is that session tracking doesn't work for these resources, which isn't much of a concern unless a blanket security constraint for *.xhtml is in place and cookie tracking is disabled. The workaround is for me to explicitly secure JSF pages and leave /a4j_3_2_1-SNAPSHOT* content public.

Here's content in the <head> section of my project's index.xhtml page:

  <link rel='stylesheet' class='component' type='text/css' href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><link rel='stylesheet' class='component' type='text/css' href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><link rel='stylesheet' class='user' type='text/css' href='style.css;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml'></script>



> Richfaces doesn't encodeURL links to most a4j_3_2_1-SNAPSHOT resources
> ----------------------------------------------------------------------
>
>                 Key: RF-4043
>                 URL: https://jira.jboss.org/jira/browse/RF-4043
>             Project: RichFaces
>          Issue Type: Bug
>    Affects Versions: 3.2.1
>         Environment: SUSE Linux 10.2
> Firefox 3.0.1
>            Reporter: Stephen Kinser
>
> Here's an http session as reported by livehttpheaders:
> GET /console2/
> GET /console2/j_security_check;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724?j_password=AAAACGtpbnNlcnNoAAAACTEyNy4wLjAuMQAAABTJXEus6ptOSJJLMmzTVnlXbf46nw%3D%3D&j_username=kinsersh
> GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/style.css;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml
> GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml
> GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml
> GET /console2/a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml
> GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/script/processEffect.js.xhtml
> GET /console2/images/mozilla_blu.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/images/fatal.png;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/images/logolarge.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> See that jsessionid is not included for links to /a4j_3_2_1-SNAPSHOT* content, except for .xcss content. The end result is that session tracking using urls is disabled for these resources. This is a concern when a blanket security constraint for *.xhtml is in place and cookie session tracking is disabled. In this case these requests are never fulfilled because the container is not able to associate these requests with an already authenticated session. The workaround is for me to explicitly secure my JSF pages and leave /a4j_3_2_1-SNAPSHOT* content public. This is a fairly good workaround, but I still expect richfaces to encodeURL all of its links.
> Here's content in the <head> section of my project's index.xhtml page (from firefox's View Source):
>   <link rel='stylesheet' class='component' type='text/css' href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><link rel='stylesheet' class='component' type='text/css' href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><link rel='stylesheet' class='user' type='text/css' href='style.css;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml'></script>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the richfaces-issues mailing list