geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject URL encoding of colons in web permissions
Date Mon, 06 Oct 2008 16:27:10 GMT
There's a new MR for the jacc spec and one of the changes is related  
to something we've already tried to solve for dealing with the pluto  
console urls which sometimes have colons in them for instance when a  
jdbc url is in a query parameter in the url..


Here's the text of the spec change:

The name of the permission checked in a transport or pre-dispatch  
decision must
be the unqualified request URI minus the context path. All colon  
characters
occurring within the name must be represented using escaped encoding1.


Here's our current code:

     static String encodeColons(HttpServletRequest request) {
         String result = request.getServletPath() +  
(request.getPathInfo() == null ? "" : request.getPathInfo());

         if (result.indexOf("%3A") > -1) result =  
result.replaceAll("%3A", "%3A%3A");
         if (result.indexOf(":") > -1) result = result.replaceAll(":",  
"%3A");

         return result;
     }


I think that we are being over-enthusiastic and should leave out the  
doubling of a pre-encoded colon:

     static String encodeColons(HttpServletRequest request) {
         String result = request.getServletPath() +  
(request.getPathInfo() == null ? "" : request.getPathInfo());

         if (result.indexOf(":") > -1) result = result.replaceAll(":",  
"%3A");

         return result;
     }


Does this seem right?

thanks
david jencks


Mime
View raw message