tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Berry <>
Subject Re: parameters in URL path segments
Date Wed, 23 Aug 2006 21:22:01 GMT
Hi William,

On Aug 23, 2006, at 2:05 PM, William A. Rowe, Jr. wrote:

> James Berry wrote:
>> My response is that the tomcat should be completely blind to
>> "parameters". Basically, to Tomcat's perspective, they don't exist.
>> There is nothing any more special about "this;biz=bar" than
>> "this,biz=bar" or "this-biz-bar".
> But, of course, your access control does call out a segment this/,
> then the segment this;biz=bar/ would escape that access control,
> so in some ways it is *quite* special; parameters are extra metadata.

Perhaps I'm not understanding you. Yes, in this case the segment name  
should be "this;biz=bar" and not "this". If there were access control  
on segment "this" then "this;biz=bar" should not follow that access  

In what way, and why, does "this;biz=bar" escape access control any  
more than "this-funny-name" would? If it was "this,biz=bar" would it?

>> Tomcat should be blind to the very existence of parameters because it
>> doesn't place any meaning on them.
> I agree that an application could add meaning to a parameter, but do
> consider the first rule of URI namespace which is that each and every
> URI should be canonical and unique.  Returning the same 200 OK result
> with the same document for everything under /abuseme means that a
> crawler can end up with /abuseme/1 /abuseme/2 /abuseme/3 ... in all
> sorts of nasty recursive situations.

Again, I'm not following you, perhaps. I can certainly do that today,  
by passing all sorts of information in pathinfo following any url.

> Because Tomcat and Apache are blind to parameters, the connector - 
> should-
> reject them.  When Tomcat/Apache are able to treat your "this;biz=bar"
> example the same as "this" for the purpose of access control, then  
> they
> can be enabled in an opaque manner that lets the application determine
> their meaning and context.

So maybe this is the crux of it. Why/where is it that "this;biz=bar"  
cannot be treated the same for the purposes of access control as  
"this"? The URL spec says that these are equally valid, and that  
"this,biz=bar" is equally valid (and suggests too that it might also  
be used for passing parameters) but to my understanding, that should  
be no concern of tomcat's.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message