James Berry wrote: > > My response is that the tomcat should be completely blind to > "parameters". Basically, to Tomcat's perspective, they don't exist. > There is nothing any more special about "this;biz=bar" than > "this,biz=bar" or "this-biz-bar".
But, of course, your access control does call out a segment this/, then the segment this;biz=bar/ would escape that access control, so in some ways it is *quite* special; parameters are extra metadata. > Tomcat should be blind to the very existence of parameters because it > doesn't place any meaning on them. I agree that an application could add meaning to a parameter, but do consider the first rule of URI namespace which is that each and every URI should be canonical and unique. Returning the same 200 OK result with the same document for everything under /abuseme means that a crawler can end up with /abuseme/1 /abuseme/2 /abuseme/3 ... in all sorts of nasty recursive situations. Because Tomcat and Apache are blind to parameters, the connector -should- reject them. When Tomcat/Apache are able to treat your "this;biz=bar" example the same as "this" for the purpose of access control, then they can be enabled in an opaque manner that lets the application determine their meaning and context. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
