Skip to content

Clarify raw vs normalized path usage in Vert.x Web routing documentation#2832

Merged
vietj merged 1 commit intovert-x3:masterfrom
mathias82:docs-normalized-path-usage
Jan 7, 2026
Merged

Clarify raw vs normalized path usage in Vert.x Web routing documentation#2832
vietj merged 1 commit intovert-x3:masterfrom
mathias82:docs-normalized-path-usage

Conversation

@mathias82
Copy link
Copy Markdown
Contributor

@mathias82 mathias82 commented Nov 28, 2025

While investigating path aliasing and normalization behavior in Quarkus (which builds on Vert.x Web),
I noticed that developers occasionally assume that HttpServerRequest#path() returns a normalized
path. In reality, this method exposes the raw request path as sent by the client, which may contain
segments such as .., repeated slashes, or other forms that are not suitable for security-sensitive
decisions.

Vert.x Web performs route matching using a normalized version of the request path. This value is
available through RoutingContext#normalizedPath(). However, the current Vert.x Web documentation
does not clearly communicate the relationship between the raw path and the normalized path, which can
lead to:

  • accidental security bypasses when path checks rely on the raw value,
  • developers misunderstanding which API to use for logging or authorization purposes,
  • confusion when routes match a normalized path while logging still reflects an unnormalized one.

What this PR does

This PR updates the Vert.x Web documentation to:

  • explain the difference between HttpServerRequest#path() (raw path) and
    RoutingContext#normalizedPath() (normalized route path),
  • add guidance for using normalizedPath() for security-sensitive comparisons,
  • provide examples that show how unexpected request forms such as /secured/../secured/data may
    resolve to the same route while having a different raw path.

Why this matters

Even though Vert.x routing correctly applies normalization internally, developers implementing custom
security checks, auditing, or path-based authorization may incorrectly rely on the raw path. Documenting
this distinction helps avoid subtle bugs and aligns expectations with the router's behavior.

Related discussion

This change originated from an analysis performed while contributing to Quarkus:
quarkusio/quarkus#51186

A related Vert.x Core tracking issue has been opened here:
#2831

Summary

This documentation improvement ensures developers understand when to use the raw request path and
when to use the normalized path, preventing confusion and reducing the risk of incorrect path-based
security logic.

@mathias82 mathias82 mentioned this pull request Nov 28, 2025
Open
@mathias82 mathias82 force-pushed the docs-normalized-path-usage branch 11 times, most recently from fbc0698 to da3b86d Compare November 28, 2025 19:02
@mathias82 mathias82 mentioned this pull request Nov 28, 2025
Open
@sberyozkin
Copy link
Copy Markdown

sberyozkin commented Nov 28, 2025

CC @vietj @cescoffier

@mathias82
docs(web): add guidance on using RoutingContext#normalizedPath() for …
08176bd 
…security-sensitive path checks

Signed-off-by: MatthaiosStavrou <m_stauroy@hotmail.com>
@mathias82 mathias82 force-pushed the docs-normalized-path-usage branch from da3b86d to 08176bd Compare November 28, 2025 20:45
@vietj vietj added this to the 5.1.0 milestone Jan 7, 2026
@vietj vietj merged commit cc2c56d into vert-x3:master Jan 7, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

5.1.0

Development

Successfully merging this pull request may close these issues.

3 participants

@mathias82 @sberyozkin @vietj