James Berry wrote: > >> Because Tomcat and Apache are blind to parameters, the connector -should- >> reject them. When Tomcat/Apache are able to treat your "this;biz=bar" >> example the same as "this" for the purpose of access control, then they >> can be enabled in an opaque manner that lets the application determine >> their meaning and context. > > So maybe this is the crux of it. Why/where is it that "this;biz=bar" > cannot be treated the same for the purposes of access control as "this"? > The URL spec says that these are equally valid, and that "this,biz=bar" > is equally valid (and suggests too that it might also be used for > passing parameters) but to my understanding, that should be no concern > of tomcat's.
BUT today's parsers don't do that. So any DENY rule on "this" would let "this;biz=bar" slip through, while the handler might process "this" and ignore parameters entirely. Now understand I'm not a big fan of deny rules (deny all, then always selectively grant access ;-) But we can't ignore that they exist, and if parameters must be treated independently of the resource that they modify, then /myfolder;v=1.1/records.doc;f=rtf must parse against any access control rules of /myfolder/records.doc, which means they need a canonical form for access control independent of their parameters. I need to research, but it's probably doable. It's not doable by just tweaking the code in mod_jk, however. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
