Uploaded image for project: 'Tapestry'
  1. Tapestry
  2. TAPESTRY-843

Friendly URL documentation concerning security and ugly URLs

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.0
    • Fix Version/s: 4.1.1
    • Component/s: Documentation
    • Labels:
      None
    • Environment:
      All

      Description

      The friendly URL documentation implies that enabling of friendly URLs is a way to enable security for Tapestry generated URLs. While this part of the documentation is correct, it implies that the 'ugly' URLs are no longer accessible - thereby enabling security for Tapestry sites. This is not correct and should be documented (at the very least).

      Ideally, there should be a method in the framework itself that would disable access to the original URLs if the friently URL contribution is made.

        Activity

        Hide
        vaporrun Brian K. Wallace added a comment -

        Attached is a patch to the Friendly URL documentation that includes a warning addressing security concerns when dealing with the friendly URL contribution.

        Show
        vaporrun Brian K. Wallace added a comment - Attached is a patch to the Friendly URL documentation that includes a warning addressing security concerns when dealing with the friendly URL contribution.
        Hide
        derickf Derick Fernando added a comment -

        Can't this be done simply removing the "/app" or similar servlet mapping in web.xml and making sure that your servlet container is not mapping servlets to "servlet/*" for that context.

        Show
        derickf Derick Fernando added a comment - Can't this be done simply removing the "/app" or similar servlet mapping in web.xml and making sure that your servlet container is not mapping servlets to "servlet/*" for that context.
        Hide
        vaporrun Brian K. Wallace added a comment -

        There are many ways to work around this issue - the issue isn't that it's impossible to fix, just that the current documentation implies that the friendly URL contribution is the answer to security while it is not. (hence the patch is to documentation, not code)

        Show
        vaporrun Brian K. Wallace added a comment - There are many ways to work around this issue - the issue isn't that it's impossible to fix, just that the current documentation implies that the friendly URL contribution is the answer to security while it is not. (hence the patch is to documentation, not code)
        Hide
        vaporrun Brian K. Wallace added a comment -

        Applied patch to documentation.

        Show
        vaporrun Brian K. Wallace added a comment - Applied patch to documentation.

          People

          • Assignee:
            vaporrun Brian K. Wallace
            Reporter:
            vaporrun Brian K. Wallace
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development