Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Received-SPF: neutral (asf.osuosl.org: local policy)
In-Reply-To: <44ECC313.9080302@rowe-clan.net>
References: <E1F32C24-A453-463A-B629-857B71B66101@apache.org>
 <CD35CC67-8D92-4A7A-B2E7-AFE8A0041CA2@apache.org>
 <4B79B82F-6013-45D7-97C1-ECEE4995302D@apache.org>
 <44ECB980.5000707@gmail.com>
 <B2853554-7923-4EB2-A120-B9D7174612CF@apache.org>
 <44ECC313.9080302@rowe-clan.net>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <034D057E-D44D-4526-9750-55EE06ECAB58@apache.org>
Cc: Jean-frederic Clere <jfclere@gmail.com>, remm@apache.org,
	Tomcat Developers List <dev@tomcat.apache.org>
Content-Transfer-Encoding: 7bit
From: James Berry <jberry@apache.org>
Subject: Re: parameters in URL path segments
Date: Wed, 23 Aug 2006 14:22:01 -0700
To: "William A. Rowe, Jr." <wrowe@rowe-clan.net>

Hi William,

On Aug 23, 2006, at 2:05 PM, William A. Rowe, Jr. wrote:

> James Berry wrote:
>>
>> My response is that the tomcat should be completely blind to
>> "parameters". Basically, to Tomcat's perspective, they don't exist.
>> There is nothing any more special about "this;biz=bar" than
>> "this,biz=bar" or "this-biz-bar".
>
> But, of course, your access control does call out a segment this/,
> then the segment this;biz=bar/ would escape that access control,
> so in some ways it is *quite* special; parameters are extra metadata.

Perhaps I'm not understanding you. Yes, in this case the segment name  
should be "this;biz=bar" and not "this". If there were access control  
on segment "this" then "this;biz=bar" should not follow that access  
control.

In what way, and why, does "this;biz=bar" escape access control any  
more than "this-funny-name" would? If it was "this,biz=bar" would it?

>
>> Tomcat should be blind to the very existence of parameters because it
>> doesn't place any meaning on them.
>
> I agree that an application could add meaning to a parameter, but do
> consider the first rule of URI namespace which is that each and every
> URI should be canonical and unique.  Returning the same 200 OK result
> with the same document for everything under /abuseme means that a
> crawler can end up with /abuseme/1 /abuseme/2 /abuseme/3 ... in all
> sorts of nasty recursive situations.

Again, I'm not following you, perhaps. I can certainly do that today,  
by passing all sorts of information in pathinfo following any url.

> Because Tomcat and Apache are blind to parameters, the connector - 
> should-
> reject them.  When Tomcat/Apache are able to treat your "this;biz=bar"
> example the same as "this" for the purpose of access control, then  
> they
> can be enabled in an opaque manner that lets the application determine
> their meaning and context.

So maybe this is the crux of it. Why/where is it that "this;biz=bar"  
cannot be treated the same for the purposes of access control as  
"this"? The URL spec says that these are equally valid, and that  
"this,biz=bar" is equally valid (and suggests too that it might also  
be used for passing parameters) but to my understanding, that should  
be no concern of tomcat's.

James

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org