You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by bw...@apache.org on 2006/04/26 03:02:55 UTC
svn commit: r397037 -
/tapestry/tapestry4/branches/4.0/src/documentation/content/xdocs/UsersGuide/friendly-urls.xml
Author: bwallace
Date: Tue Apr 25 18:02:50 2006
New Revision: 397037
URL: http://svn.apache.org/viewcvs?rev=397037&view=rev
Log:
[TAPESTRY-843] Added warning about security and friendly URLs
Modified:
tapestry/tapestry4/branches/4.0/src/documentation/content/xdocs/UsersGuide/friendly-urls.xml
Modified: tapestry/tapestry4/branches/4.0/src/documentation/content/xdocs/UsersGuide/friendly-urls.xml
URL: http://svn.apache.org/viewcvs/tapestry/tapestry4/branches/4.0/src/documentation/content/xdocs/UsersGuide/friendly-urls.xml?rev=397037&r1=397036&r2=397037&view=diff
==============================================================================
--- tapestry/tapestry4/branches/4.0/src/documentation/content/xdocs/UsersGuide/friendly-urls.xml (original)
+++ tapestry/tapestry4/branches/4.0/src/documentation/content/xdocs/UsersGuide/friendly-urls.xml Tue Apr 25 18:02:50 2006
@@ -60,6 +60,13 @@
ambitious, but more limited, patch was required).
</p>
+ <warning>
+ For security purposes, enabling friendly URLs implies that pages are no longer
+ accessible via their ugly URL counterpart. This is not the case. If a malevolent user
+ can either guess - or via cookies identify - your servlet path, they can construct an
+ ugly URL to a resource that is protected via security and gain access to the protected
+ resource.
+ </warning>
<p>
Friendly URLs are divided into two concerns:
</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org