Tapestry
  1. Tapestry
  2. TAPESTRY-843

Friendly URL documentation concerning security and ugly URLs

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 4.0
    • Fix Version/s: 4.1.1
    • Component/s: Documentation
    • Labels:
      None
    • Environment:
      All

      Description

      The friendly URL documentation implies that enabling of friendly URLs is a way to enable security for Tapestry generated URLs. While this part of the documentation is correct, it implies that the 'ugly' URLs are no longer accessible - thereby enabling security for Tapestry sites. This is not correct and should be documented (at the very least).

      Ideally, there should be a method in the framework itself that would disable access to the original URLs if the friently URL contribution is made.

        Activity

        Hide
        Brian K. Wallace added a comment -

        Attached is a patch to the Friendly URL documentation that includes a warning addressing security concerns when dealing with the friendly URL contribution.

        Show
        Brian K. Wallace added a comment - Attached is a patch to the Friendly URL documentation that includes a warning addressing security concerns when dealing with the friendly URL contribution.
        Hide
        Derick Fernando added a comment -

        Can't this be done simply removing the "/app" or similar servlet mapping in web.xml and making sure that your servlet container is not mapping servlets to "servlet/*" for that context.

        Show
        Derick Fernando added a comment - Can't this be done simply removing the "/app" or similar servlet mapping in web.xml and making sure that your servlet container is not mapping servlets to "servlet/*" for that context.
        Hide
        Brian K. Wallace added a comment -

        There are many ways to work around this issue - the issue isn't that it's impossible to fix, just that the current documentation implies that the friendly URL contribution is the answer to security while it is not. (hence the patch is to documentation, not code)

        Show
        Brian K. Wallace added a comment - There are many ways to work around this issue - the issue isn't that it's impossible to fix, just that the current documentation implies that the friendly URL contribution is the answer to security while it is not. (hence the patch is to documentation, not code)
        Hide
        Brian K. Wallace added a comment -

        Applied patch to documentation.

        Show
        Brian K. Wallace added a comment - Applied patch to documentation.

          People

          • Assignee:
            Brian K. Wallace
            Reporter:
            Brian K. Wallace
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development