Hey guys,
Here is some feedback I got from the specification lead
maintainer for the Servlet API. He points out that there is nothing
preventing an implementation from mapping URLs to paths in a
case-insensitive manner.
Gili
==================BEGIN FORWARDED MESSAGE==================
Hi Gili
On Dec 22, 2004, at 12:32 PM, Gili wrote:
> Greg,
>
> You talk as if File.getCanonicalPath() did not exist :) So my
> answer is twofold:
>
> 1) Password strings differ from file paths. Yes, the latter can be
> represented in the form of a String, but we really know it represents a
> file path. And while we're on the topic, I suspect the implementation
> stores such entities as "File" objects internally, not Strings.
>
Yes passwords are a different animal from file paths. An
implementation
of the servlet API will be whether file paths are canonical or not.
Quoting
the servlet spec SRV2.4 Glossary page 328
"In HTTP-based URLs, the º/ºcharacter is reserved to separate a
hierarchical
path structure in the URL-path portion of the URL. The server is
responsible
for determining the meaning of the hierarchical structure. There is no
correspondence between a URL-path and a given file system path."
The only two APIs that are provided for accessing a resource directly
from the
servlet spec's perspective are:
ClassLoader.getResourceAsStream(String/URL) and
ServletContext.getResourceAsStream(String)
This is as close to file paths that the servlet API really get. It is
generally not a
good practice to access the file system directly from a web
application. With
the J2EE Reference implementation you need to change the security
settings
of the web container to allow this.
> 2) You wouldn't need to protect all variations of /WEB-INF. You'd
> simply need to call File.getCanonicalPath() before doing a String
> comparison when comparing two file paths. Take this one step further
> and store the canonical path in all internal data structures so you
> only need to call File.getCanonicalPath() on incoming requests and
> compare it against the resource file path which is already canonical.
> This is simple enough and does not incur any serious performance drop.
> Under unix, getCanonicalPath() is almost a no-op (I think it handles
> symbolic links) and under win32 I think it is fairly cheap too.
This might be true with the implementation of the API but I'm not sure
how this is going to affect the servlet API itself. One thing to
remember
is that the servlet API needs to service both Unix and Windows
platforms
in a uniform way. Also keep in mind if you want a web application to
run portably on a Unix or Win32 platform you will need consider case.
What kind of uses cases are you thinking of for changing the definition
of
case sensitivity? Are you talking more about url mappings such as
*.JSP == *.jsp on win32 platforms? Do you want resources in a web
application to ignore case on win32?
I there are compelling use case for this I would be more than happy to
bring this to the servlet EG. I'm going to ask around and see if this
topic
has been discussed before.
Thank you for your comments,
Greg Murray
===================END FORWARDED MESSAGE===================
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
