You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by David Jencks <da...@yahoo.com> on 2008/10/06 18:27:10 UTC

URL encoding of colons in web permissions

There's a new MR for the jacc spec and one of the changes is related  
to something we've already tried to solve for dealing with the pluto  
console urls which sometimes have colons in them for instance when a  
jdbc url is in a query parameter in the url..


Here's the text of the spec change:

The name of the permission checked in a transport or pre-dispatch  
decision must
be the unqualified request URI minus the context path. All colon  
characters
occurring within the name must be represented using escaped encoding1.


Here's our current code:

     static String encodeColons(HttpServletRequest request) {
         String result = request.getServletPath() +  
(request.getPathInfo() == null ? "" : request.getPathInfo());

         if (result.indexOf("%3A") > -1) result =  
result.replaceAll("%3A", "%3A%3A");
         if (result.indexOf(":") > -1) result = result.replaceAll(":",  
"%3A");

         return result;
     }


I think that we are being over-enthusiastic and should leave out the  
doubling of a pre-encoded colon:

     static String encodeColons(HttpServletRequest request) {
         String result = request.getServletPath() +  
(request.getPathInfo() == null ? "" : request.getPathInfo());

         if (result.indexOf(":") > -1) result = result.replaceAll(":",  
"%3A");

         return result;
     }


Does this seem right?

thanks
david jencks

Re: URL encoding of colons in web permissions

Posted by Joe Bohn <jo...@earthlink.net>.

Seems reasonable to me.  I don't know why we would need to double encode 
the %3A and it actually seems like it might cause some problems.

Joe


David Jencks wrote:
> There's a new MR for the jacc spec and one of the changes is related to 
> something we've already tried to solve for dealing with the pluto 
> console urls which sometimes have colons in them for instance when a 
> jdbc url is in a query parameter in the url..  
> 
> 
> Here's the text of the spec change:
> 
> The name of the permission checked in a transport or pre-dispatch 
> decision must 
> be the unqualified request URI minus the context path. All colon characters 
> occurring within the name must be represented using escaped encoding1.
> 
> 
> Here's our current code:
> 
>     static String encodeColons(HttpServletRequest request) {
>         String result = request.getServletPath() + 
> (request.getPathInfo() == null ? "" : request.getPathInfo());
> 
>         if (result.indexOf("%3A") > -1) result = 
> result.replaceAll("%3A", "%3A%3A");
>         if (result.indexOf(":") > -1) result = result.replaceAll(":", 
> "%3A");
> 
>         return result;
>     }
> 
> 
> I think that we are being over-enthusiastic and should leave out the 
> doubling of a pre-encoded colon:
> 
>     static String encodeColons(HttpServletRequest request) {
>         String result = request.getServletPath() + 
> (request.getPathInfo() == null ? "" : request.getPathInfo());
> 
>         if (result.indexOf(":") > -1) result = result.replaceAll(":", 
> "%3A");
> 
>         return result;
>     }
> 
> 
> Does this seem right?
> 
> thanks
> david jencks
>