All,
Paul Sandoz schrieb:
> Yes, quite a few styles of service would rely on this. One style is
> embedding a URI in another URI.
> This seems to be a security issue when files are served from a poorly
> designed Web server and the server decodes the URL path and because the
> path contains ".." and "/" it could be directed to serve files from
> locations that were not intended to be served (e.g. a UNIX password file
> or other users files). I presume this is not an issue for the admin service.
I've been trying to follow this discussion from the very beginning and
did not really like the idea of encoding the "/" as "%2F" from the very
beginning.
How about optionally wrapping/quoting resource names by a pair of
delimiter characters, such as in
/management/domain/resources/admin-object-resource/{jndi/foo}
(like for Unix shell variables when there is potential ambiguity) or
mabye even
/management/domain/resources/admin-object-resource/"jndi/foo"
Are there any other special characters which must not be part of a JNDI
name?
(I assume that one will atainly get into troubles with portability
across Java EE servers when trying to use all 65536 legal UTF characters
for a JNDI name!?)
Anyway, I myself would definitely feel better with a (documented)
requirement to write '.../{jndi/foo}' (or '.../"jndi/foo"') than an
questionable and ambiguous '.../jndi%2Ffoo'...
Just my 2 Euro cents...
Best regards,
Andreas
--
Andreas Loew
Senior Java Architect
Sun Microsystems (Germany)