For what it's worth, I added this to domain.xml
<jvm-options>-Dcom.sun.grizzly.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true</jvm-options>
It appears that at the point that the RestManagementAdapter is
instantiated, these values have not been processed and applied, so
Grizzly still maintains its default state of disallowing encoded
slashes. If we want to go this route, this value must be set eariler,
which means that it will affect more certainly everything in the system,
which may or may not be a bad thing.
On 6/1/10 11:27 AM, Jason Lee wrote:
> We plan to bring this up this afternoon during the admin iteam
> meeting, but Ken and I discussed this briefly this morning during the
> console meeting. Are we sure we'll have a security issue if we enable
> the / encoding in Grizzly? A single URL encoding would be much
> simpler and probably more intuitive than double encoding or some
> special syntax for the resource IDs.
>
> On 6/1/10 9:49 AM, Bruno Harbulot wrote:
>> Hi,
>>
>> On 01/06/10 11:47, Andreas Loew wrote:
>>> Hi Paul,
>>>
>>> Paul Sandoz schrieb:
>>>
>>>>> Not quite: '{' and '}' are just "unsafe" characters,
>>>>
>>>> They are disallowed in the URI syntax:
>>>>
>>>> http://greenbytes.de/tech/webdav/rfc2396.html#rfc.section.2.4.3
>>>
>>> while I don't want to argue with you about the subtleties of the fact
>>> that curly brackets are *not* part of *neither* "reserved" *nor*
>>> "unreserved" characters, it seems to me that the following would be
>>> fully sanctioned by the spec:
>>>
>>> .../management/domain/resources/admin-object-resource/(jndi/foo)
>>>
>>> because "normal" brackets are "unreserved" characters: "Data characters
>>> that are allowed in a URI but do not have a reserved purpose are called
>>> unreserved."
>>>
>>> So how about wrapping resource values that contain "reserved"
>>> characters
>>> by a pair of (unreserved) "normal" brackets '(' and ')'?
>>
>> I'm not sure whether you want to take more recent RFCs into
>> consideration, but in RFC 3986, which obsoletes RFC 2389, parentheses
>> are reserved characters:
>>
>> http://tools.ietf.org/html/rfc3986#section-2.2
>>
>> Section 2.4 is probably relevant to this discussion too (especially
>> its last sentence).
>>
>> As a side note, just in case you're using them,
>> java.net.URLEncoder/Decoder "[contain] static methods for converting
>> a String to the application/x-www-form-urlencoded MIME format" (see
>> Javadoc), which may not be intuitive w.r.t. the class name: it's more
>> relevant to the query part, but is likely not to produce the expected
>> result if the full URI is passed (space is encoded as '+' as far as I
>> remember).
>>
>>
>> Best wishes,
>>
>> Bruno.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: dev-help_at_glassfish.dev.java.net
>>
>
>
--
Jason Lee
Senior Member of Technical Staff
GlassFish Administration Console
Oracle Corporation
Phone x31197/+1 405-343-1964
Blog http://blogs.steeplesoft.com