Hi William,
On Aug 23, 2006, at 2:05 PM, William A. Rowe, Jr. wrote:
James Berry wrote:
My response is that the tomcat should be completely blind to
"parameters". Basically, to Tomcat's perspective, they don't exist.
There is nothing any more special about "this;biz=bar" than
"this,biz=bar" or "this-biz-bar".
But, of course, your access control does call out a segment this/,
then the segment this;biz=bar/ would escape that access control,
so in some ways it is *quite* special; parameters are extra metadata.
Perhaps I'm not understanding you. Yes, in this case the segment name
should be "this;biz=bar" and not "this". If there were access control
on segment "this" then "this;biz=bar" should not follow that access
control.
In what way, and why, does "this;biz=bar" escape access control any
more than "this-funny-name" would? If it was "this,biz=bar" would it?
Tomcat should be blind to the very existence of parameters because it
doesn't place any meaning on them.
I agree that an application could add meaning to a parameter, but do
consider the first rule of URI namespace which is that each and every
URI should be canonical and unique. Returning the same 200 OK result
with the same document for everything under /abuseme means that a
crawler can end up with /abuseme/1 /abuseme/2 /abuseme/3 ... in all
sorts of nasty recursive situations.
Again, I'm not following you, perhaps. I can certainly do that today,
by passing all sorts of information in pathinfo following any url.
Because Tomcat and Apache are blind to parameters, the connector -
should-
reject them. When Tomcat/Apache are able to treat your "this;biz=bar"
example the same as "this" for the purpose of access control, then
they
can be enabled in an opaque manner that lets the application determine
their meaning and context.
So maybe this is the crux of it. Why/where is it that "this;biz=bar"
cannot be treated the same for the purposes of access control as
"this"? The URL spec says that these are equally valid, and that
"this,biz=bar" is equally valid (and suggests too that it might also
be used for passing parameters) but to my understanding, that should
be no concern of tomcat's.
James
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
