[richfaces-issues] [JBoss JIRA] Updated: (RF-4043) Richfaces doesn't encodeURL links to most a4j_3_2_1-SNAPSHOT resources

Nick Belaevski (JIRA) jira-events at lists.jboss.org
Tue Jul 29 07:23:53 EDT 2008 

     [ https://jira.jboss.org/jira/browse/RF-4043?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Nick Belaevski updated RF-4043:
-------------------------------

    Fix Version/s: 3.2.2
         Assignee: Nick Belaevski


> Richfaces doesn't encodeURL links to most a4j_3_2_1-SNAPSHOT resources
> ----------------------------------------------------------------------
>
>                 Key: RF-4043
>                 URL: https://jira.jboss.org/jira/browse/RF-4043
>             Project: RichFaces
>          Issue Type: Bug
>    Affects Versions: 3.2.1
>         Environment: SUSE Linux 10.2
> Firefox 3.0.1
>            Reporter: Stephen Kinser
>            Assignee: Nick Belaevski
>             Fix For: 3.2.2
>
>
> Here's an http session as reported by livehttpheaders:
> GET /console2/
> GET /console2/j_security_check;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724?j_password=AAAACGtpbnNlcnNoAAAACTEyNy4wLjAuMQAAABTJXEus6ptOSJJLMmzTVnlXbf46nw%3D%3D&j_username=kinsersh
> GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/style.css;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml
> GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml
> GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml
> GET /console2/a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml
> GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/script/processEffect.js.xhtml
> GET /console2/images/mozilla_blu.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/images/fatal.png;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/images/logolarge.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> See that jsessionid is not included for links to /a4j_3_2_1-SNAPSHOT* content, except for .xcss content. The end result is that session tracking using urls is disabled for these resources. This is a concern when a blanket security constraint for *.xhtml is in place and cookie session tracking is disabled. In this case these requests are never fulfilled because the container is not able to associate these requests with an already authenticated session. The workaround is for me to explicitly secure my JSF pages and leave /a4j_3_2_1-SNAPSHOT* content public. This is a fairly good workaround, but I still expect richfaces to encodeURL all of its links.
> Here's content in the <head> section of my project's index.xhtml page (from firefox's View Source):
>   <link rel='stylesheet' class='component' type='text/css' href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><link rel='stylesheet' class='component' type='text/css' href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><link rel='stylesheet' class='user' type='text/css' href='style.css;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml'></script>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the richfaces-issues mailing list