You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tapestry.apache.org by "Christophe Cordenier (JIRA)" <ji...@apache.org> on 2010/01/14 11:39:55 UTC

[jira] Commented: (TAP5-879) 404 is never raised automatically if the application has an index page.

    [ https://issues.apache.org/jira/browse/TAP5-879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12800159#action_12800159 ] 

Christophe Cordenier commented on TAP5-879:
-------------------------------------------

Hi, 

Finally i came up to this solution :

1. Add a component request filter to check activation context parameters
2. i didn't modify the matches method of ComponentEvent class to be less intrusive
3. i didn't change the behavior at the OnEventWorker because i guess it's too late for security checking

The algorithm is :

1. If no activation method then no parameter is authorized
2. If activation methods exist then verify that at least that one method matches with the activation context parameter count and type (this induces type coercion)
3. If an activation method exists with EventContext, or List or Object[] param then it is flaged as not secured

Remark : The patch provided contains some code from the OnEventWorker and does introspection everytime the class is invalidated and then keep metadatas in a cache.

Aslo ,during test i have seen that this kind of code is not handled by Tapestry

onActivate(Long number) {...}

onActivate(String message) {...}

Calling this page with a string activation context parameter generate a coercion exception, i guess this was a decision in design.

Best Regards,
Christophe.



> 404 is never raised automatically if the application has an index page.
> -----------------------------------------------------------------------
>
>                 Key: TAP5-879
>                 URL: https://issues.apache.org/jira/browse/TAP5-879
>             Project: Tapestry 5
>          Issue Type: Bug
>          Components: tapestry-core
>    Affects Versions: 5.1.0.5
>            Reporter: Christophe Cordenier
>
> The default behavior of PageRenderDispatcher when a user access to a URL like 'http://localhost/demo/blah' (where 'demo' is the application context and 'blah' is a page that does not exist) is to translate to 'http://localhost/demo/index/blah' if an index page exists even if it has no activation method.
> It could be a better solution to check if a the index page has an activation method with the corresponding parameter number and type, and automatically raise a http 404 if not.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.