[richfaces-issues] [JBoss JIRA] Resolved: (RF-4043) Richfaces doesn't encodeURL links to most a4j_3_2_1-SNAPSHOT resources

Nick Belaevski (JIRA) jira-events at lists.jboss.org
Thu Jul 31 10:21:26 EDT 2008 

     [ https://jira.jboss.org/jira/browse/RF-4043?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Nick Belaevski resolved RF-4043.
--------------------------------

    Resolution: Won't Fix
      Assignee: Tsikhon Kuprevich  (was: Nick Belaevski)


Use new context parameters to separate session-aware and not resources

> Richfaces doesn't encodeURL links to most a4j_3_2_1-SNAPSHOT resources
> ----------------------------------------------------------------------
>
>                 Key: RF-4043
>                 URL: https://jira.jboss.org/jira/browse/RF-4043
>             Project: RichFaces
>          Issue Type: Bug
>    Affects Versions: 3.2.1
>         Environment: SUSE Linux 10.2
> Firefox 3.0.1
>            Reporter: Stephen Kinser
>            Assignee: Tsikhon Kuprevich
>             Fix For: 3.2.2
>
>
> Here's an http session as reported by livehttpheaders:
> GET /console2/
> GET /console2/j_security_check;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724?j_password=AAAACGtpbnNlcnNoAAAACTEyNy4wLjAuMQAAABTJXEus6ptOSJJLMmzTVnlXbf46nw%3D%3D&j_username=kinsersh
> GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/style.css;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml
> GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml
> GET /console2/a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml
> GET /console2/a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml
> GET /console2/a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/script/processEffect.js.xhtml
> GET /console2/images/mozilla_blu.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/images/fatal.png;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> GET /console2/images/logolarge.gif;jsessionid=D33E4B323AA5C5B7FAED5688E23FF724
> See that jsessionid is not included for links to /a4j_3_2_1-SNAPSHOT* content, except for .xcss content. The end result is that session tracking using urls is disabled for these resources. This is a concern when a blanket security constraint for *.xhtml is in place and cookie session tracking is disabled. In this case these requests are never fulfilled because the container is not able to associate these requests with an already authenticated session. The workaround is for me to explicitly secure my JSF pages and leave /a4j_3_2_1-SNAPSHOT* content public. This is a fairly good workaround, but I still expect richfaces to encodeURL all of its links.
> Here's content in the <head> section of my project's index.xhtml page (from firefox's View Source):
>   <link rel='stylesheet' class='component' type='text/css' href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><link rel='stylesheet' class='component' type='text/css' href='a4j_3_2_1-SNAPSHOTorg/richfaces/renderkit/html/css/extended_classes.xcss/DATB/eAG7XfWmJXT5DGkAFuYEdQ__.xhtml;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><link rel='stylesheet' class='user' type='text/css' href='style.css;jsessionid=1F6058B576CD88CC89E0BAE59BF70B2E' /><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.AjaxScript.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg/ajax4jsf/javascript/scripts/form.js.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTorg.ajax4jsf.javascript.PrototypeScript.xhtml'></script><script type='text/javascript' src='a4j_3_2_1-SNAPSHOTscripts/scriptaculous/effects.js.xhtml'></script>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the richfaces-issues mailing list