[richfaces-issues] [JBoss JIRA] Commented: (RF-3586) URLs of resources are not predictable

Fri Nov 28 15:24:38 EST 2008

    [ https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12440449#action_12440449 ] 

Nick Belaevski commented on RF-3586:
------------------------------------

This class is intended to generate predictable URIs for all resources handled by RichFaces. It creates mapping between resource key/data value and generated random string of known format for all resource requests. By default UUID.toString() is used. Mapping is maintained by LRU map having default capacity of 10000 so be aware that stale entries can be removed and application users will get errors then. 

How to use: add to application classpath META-INF/services/org.ajax4jsf.resource.InternetResourceBuilder file with the following content org.ajax4jsf.resource.cached.CachedResourceBuilder 

Limitations:

1. Doesn't work in clustered environments
2. All resource URIs become invalid after server restart that can cause cache issues
3. Diagnostic of resource loading errors becomes somewhat harder. Variant of code where random key is appended to resource name doesn't satisfy the requirement of no path depth > 8 as requested by users (see RF-3586 for more info)

> URLs of resources are not predictable
> -------------------------------------
>
>                 Key: RF-3586
>                 URL: https://jira.jboss.org/jira/browse/RF-3586
>             Project: RichFaces
>          Issue Type: Bug
>          Components: docs updated, planning_all
>    Affects Versions: 3.1.4, 3.1.5, 3.2.0
>            Reporter: Olivier Martin
>            Assignee: Tsikhon Kuprevich
>            Priority: Blocker
>             Fix For: 3.3.0
>
>   Original Estimate: 1 day, 4 hours
>  Remaining Estimate: 1 day, 4 hours
>
> The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world.
> When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters.
> For instance the following URL has several problems :
> a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces
> * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release
> * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode()  ?!!
> * The part "eAF7P..bLgAIQwM." contains ".."' characters
> Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira