On Aug 23, 2006, at 2:40 PM, William A. Rowe, Jr. wrote:
James Berry wrote:
Because Tomcat and Apache are blind to parameters, the connector -
should-
reject them. When Tomcat/Apache are able to treat your
"this;biz=bar"
example the same as "this" for the purpose of access control,
then they
can be enabled in an opaque manner that lets the application
determine
their meaning and context.
So maybe this is the crux of it. Why/where is it that "this;biz=bar"
cannot be treated the same for the purposes of access control as
"this"?
The URL spec says that these are equally valid, and that
"this,biz=bar"
is equally valid (and suggests too that it might also be used for
passing parameters) but to my understanding, that should be no
concern
of tomcat's.
BUT today's parsers don't do that. So any DENY rule on "this"
would let
"this;biz=bar" slip through, while the handler might process "this"
and
ignore parameters entirely.
So such a deny rule on "this" would currently let "this;biz=bar"
through, and would also let "thisthatandtheotherthing" through too,
right?
I see nothing wrong with that: if follows my assertion that semicolon
parameters simply should not be treated any differently.
Now understand I'm not a big fan of deny rules (deny all, then always
selectively grant access ;-) But we can't ignore that they exist, and
if parameters must be treated independently of the resource that they
What I'm saying is that they should not be treated independently or
differently. They should be treated not as metadata, but as part of
the segment.
modify, then /myfolder;v=1.1/records.doc;f=rtf must parse against any
access control rules of /myfolder/records.doc, which means they need
a canonical form for access control independent of their parameters.
The situation today is that if I form one url that looks like:
/myfolder;v=1.1/records.doc;f=rtf
and another that looks like:
/myfolder,v=1.1/records.doc,f=rtf
and another that looks like:
/myfolder+v=1.1/records.doc+f=rtf
The one that uses semicolons is mangled by Tomcat, while the other
two are not. What I'm claiming is that this is a bug, because
parameters should not be treated differently by tomcat; it can do
nothing different with the first url than it can with the second or
third url, and it should leave the distinction to code that can,
rather than assuming it knows something that it doesn't.
The rfcs, to me, are saying that http servers shouldn't treat segment
parameters in any special way. And until they should, or can, or
really want to, Tomcat shouldn't reject a semicolon when it doesn't
reject a comma.
I need to research, but it's probably doable. It's not doable by just
tweaking the code in mod_jk, however.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
