geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bohn <joe.b...@earthlink.net>
Subject Re: URL encoding of colons in web permissions
Date Mon, 06 Oct 2008 20:39:09 GMT
Seems reasonable to me.  I don't know why we would need to double encode 
the %3A and it actually seems like it might cause some problems.

Joe


David Jencks wrote:
> There's a new MR for the jacc spec and one of the changes is related to 
> something we've already tried to solve for dealing with the pluto 
> console urls which sometimes have colons in them for instance when a 
> jdbc url is in a query parameter in the url..  
> 
> 
> Here's the text of the spec change:
> 
> The name of the permission checked in a transport or pre-dispatch 
> decision must 
> be the unqualified request URI minus the context path. All colon characters 
> occurring within the name must be represented using escaped encoding1.
> 
> 
> Here's our current code:
> 
>     static String encodeColons(HttpServletRequest request) {
>         String result = request.getServletPath() + 
> (request.getPathInfo() == null ? "" : request.getPathInfo());
> 
>         if (result.indexOf("%3A") > -1) result = 
> result.replaceAll("%3A", "%3A%3A");
>         if (result.indexOf(":") > -1) result = result.replaceAll(":", 
> "%3A");
> 
>         return result;
>     }
> 
> 
> I think that we are being over-enthusiastic and should leave out the 
> doubling of a pre-encoded colon:
> 
>     static String encodeColons(HttpServletRequest request) {
>         String result = request.getServletPath() + 
> (request.getPathInfo() == null ? "" : request.getPathInfo());
> 
>         if (result.indexOf(":") > -1) result = result.replaceAll(":", 
> "%3A");
> 
>         return result;
>     }
> 
> 
> Does this seem right?
> 
> thanks
> david jencks
> 


Mime
View raw message