You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by Howard Lewis Ship <hl...@gmail.com> on 2009/12/10 22:26:40 UTC
Re: svn commit: r888946 - in /tapestry/tapestry5/trunk/tapestry-core/src:
main/java/org/apache/tapestry5/ main/java/org/apache/tapestry5/internal/services/
main/java/org/apache/tapestry5/services/ test/app1/ test/java/org/apache/tapestry5/integration
I still don't get why context assets, outside of WEB-INF, should ever
be restricted? Did I miss that conversation?
On Thu, Dec 10, 2009 at 7:40 AM, Robert Zeigler <ro...@scazdl.org> wrote:
> Good catch. I'll fix it.
>
> Robert
>
> On Dec 10, 2009, at 12/101:53 AM , Ulrich Stärk wrote:
>
>> +1
>>
>> That's a good compromise.
>>
>> Code format is not consistent though; in some places opening brackets are
>> not on a new line in others they are.
>>
>> Uli
>>
>> On 09.12.2009 21:28 schrieb robertdzeigler@apache.org:
>>>
>>> Author: robertdzeigler
>>> Date: Wed Dec 9 20:28:13 2009
>>> New Revision: 888946
>>>
>>> URL: http://svn.apache.org/viewvc?rev=888946&view=rev
>>> Log:
>>> TAP5-815: Asset dispatcher allows any file inside the webapp visible and
>>> downloadable
>>> Return 404 instead of 403 for restricted paths; removes chenillekit
>>> contribution; adds default contribution for context assets; adds integration
>>> test.
>>>
>>> Added:
>>>
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt
>>>
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt
>>>
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java
>>> Modified:
>>>
>>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java
>>>
>>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
>>>
>>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
>>>
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
>>>
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java
>>>
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
>>>
>>> Modified:
>>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java
>>> URL:
>>> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java?rev=888946&r1=888945&r2=888946&view=diff
>>>
>>> ==============================================================================
>>> ---
>>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java
>>> (original)
>>> +++
>>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java
>>> Wed Dec 9 20:28:13 2009
>>> @@ -275,4 +275,13 @@
>>> */
>>> public static final String BLACKBIRD = "tapestry.blackbird";
>>>
>>> + /**
>>> + * Whether assets in the web application's context directory are
>>> available by default.
>>> + * If true (the default), tapestry will provide conributions to the
>>> appropriate services (RegexAuthorizer) to allow access
>>> + * to .js, .jpg, .jpeg, .png, .gif, and .css assets that reside
>>> within the application context.
>>> + * If false, no such contributions will be made, and access to those
>>> resources will be restricted
>>> + * without explicit user contributions.
>>> + */
>>> + public static final String CONTEXT_ASSETS_AVAILABLE
>>> ="tapestry.context-assets-available";
>>> +
>>> }
>>>
>>> Modified:
>>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
>>> URL:
>>> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java?rev=888946&r1=888945&r2=888946&view=diff
>>>
>>> ==============================================================================
>>> ---
>>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
>>> (original)
>>> +++
>>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
>>> Wed Dec 9 20:28:13 2009
>>> @@ -77,7 +77,7 @@
>>> if (auth.accessDenied(resourcePath))
>>> {
>>> logger.debug("Denying access to " +
>>> resourcePath);
>>> -
>>> response.sendError(HttpServletResponse.SC_FORBIDDEN,resourcePath);
>>> +
>>> response.sendError(HttpServletResponse.SC_NOT_FOUND, resourcePath);
>>> return true;
>>> }
>>> }
>>>
>>> Modified:
>>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
>>> URL:
>>> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java?rev=888946&r1=888945&r2=888946&view=diff
>>>
>>> ==============================================================================
>>> ---
>>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
>>> (original)
>>> +++
>>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
>>> Wed Dec 9 20:28:13 2009
>>> @@ -2113,6 +2113,8 @@
>>> configuration.add(SymbolConstants.ENCODE_LOCALE_INTO_PATH,
>>> "true");
>>>
>>> configuration.add(SymbolConstants.BLACKBIRD_ENABLED, "false");
>>> +
>>> + configuration.add(SymbolConstants.CONTEXT_ASSETS_AVAILABLE,
>>> "true");
>>> }
>>>
>>>
>>> @@ -2508,13 +2510,16 @@
>>> public void contributeRegexAuthorizer(Configuration<String> regex,
>>> @Symbol("tapestry.scriptaculous.path") String scriptPath,
>>> @Symbol("tapestry.blackbird.path") String blackbirdPath,
>>> - @Symbol("tapestry.datepicker.path") String
>>> datepickerPath)
>>> - {
>>> - //allow any js, jpg, jpeg, png, or css under
>>> org/chenillekit/tapstry. The funky bit of ([^/.]+/)* is what allows
>>> + @Symbol("tapestry.datepicker.path") String
>>> datepickerPath,
>>> + @Symbol(SymbolConstants.CONTEXT_ASSETS_AVAILABLE)
>>> boolean contextAvailable,
>>> + @Symbol(SymbolConstants.APPLICATION_VERSION) String
>>> appVersion)
>>> + {
>>> + //allow any js, jpg, jpeg, png, or css under
>>> org/apache/tapestry5, along with
>>> + //resources for blackbird, scriptaculous, and the date picker.
>>> + // The funky bit of ([^/.]+/)* is what allows
>>> //multiple paths, while not allowing any of those paths to
>>> contains ./ or ../ thereby preventing paths like:
>>> - //org/chenillekit/tapestry/../../../foo.js
>>> + //org/apache/tapestry5/../../../foo.js
>>> String pathPattern =
>>> "([^/.]+/)*[^/.]+\\.((css)|(js)|(jpg)|(jpeg)|(png)|(gif))$";
>>> - regex.add("^org/chenillekit/tapestry/" + pathPattern);
>>>
>>> regex.add("^org/apache/tapestry5/" + pathPattern);
>>>
>>> @@ -2523,6 +2528,10 @@
>>> regex.add(scriptPath + "/" + pathPattern);
>>> //allow access to virtual assets. Critical for tapestry-combined
>>> js files.
>>> regex.add("virtual/" + pathPattern);
>>> +
>>> + if (contextAvailable) {
>>> + regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + "/"
>>> + pathPattern);
>>> + }
>>> }
>>>
>>> }
>>>
>>> Added:
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml
>>> URL:
>>> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml?rev=888946&view=auto
>>>
>>> ==============================================================================
>>> ---
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml
>>> (added)
>>> +++
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml
>>> Wed Dec 9 20:28:13 2009
>>> @@ -0,0 +1,4 @@
>>> +<html t:type="Border"
>>> xmlns:t="http://tapestry.apache.org/schema/tapestry_5_1_0.xsd">
>>> +<a href="${asset:context:availablefile.txt}">Available File</a>
>>> +<a href="${asset:context:unavailablefile.txt}">Unavailable File</a>
>>> +</html>
>>> \ No newline at end of file
>>>
>>> Added:
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt
>>> URL:
>>> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt?rev=888946&view=auto
>>>
>>> ==============================================================================
>>> ---
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt
>>> (added)
>>> +++
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt Wed
>>> Dec 9 20:28:13 2009
>>> @@ -0,0 +1 @@
>>> +This file should be available to clients.
>>> \ No newline at end of file
>>>
>>> Added:
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt
>>> URL:
>>> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt?rev=888946&view=auto
>>>
>>> ==============================================================================
>>> ---
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt
>>> (added)
>>> +++
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt Wed
>>> Dec 9 20:28:13 2009
>>> @@ -0,0 +1 @@
>>> +This file should not be available to clients.
>>> \ No newline at end of file
>>>
>>> Modified:
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
>>> URL:
>>> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java?rev=888946&r1=888945&r2=888946&view=diff
>>>
>>> ==============================================================================
>>> ---
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
>>> (original)
>>> +++
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
>>> Wed Dec 9 20:28:13 2009
>>> @@ -3225,4 +3225,17 @@
>>>
>>> assertTextPresent("Car Model: E-Class");
>>> }
>>> +
>>> + /** TAP5-815 */
>>> + @Test
>>> + public void testAssetProtection()
>>> + {
>>> + start("Asset Protection Demo");
>>> + clickAndWait("link=Unavailable File");
>>> + assertTextPresent("404");
>>> +
>>> + start("Asset Protection Demo");
>>> + clickAndWait("link=Available File");
>>> + assertTextPresent("This file should be available to clients.");
>>> + }
>>> }
>>>
>>> Added:
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java
>>> URL:
>>> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java?rev=888946&view=auto
>>>
>>> ==============================================================================
>>> ---
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java
>>> (added)
>>> +++
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java
>>> Wed Dec 9 20:28:13 2009
>>> @@ -0,0 +1,19 @@
>>> +// Copyright 2009 The Apache Software Foundation
>>> +//
>>> +// Licensed under the Apache License, Version 2.0 (the "License");
>>> +// you may not use this file except in compliance with the License.
>>> +// You may obtain a copy of the License at
>>> +//
>>> +// http://www.apache.org/licenses/LICENSE-2.0
>>> +//
>>> +// Unless required by applicable law or agreed to in writing, software
>>> +// distributed under the License is distributed on an "AS IS" BASIS,
>>> +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
>>> implied.
>>> +// See the License for the specific language governing permissions and
>>> +// limitations under the License.
>>> +
>>> +package org.apache.tapestry5.integration.app1.pages;
>>> +
>>> +public class AssetProtectionDemo
>>> +{
>>> +}
>>>
>>> Modified:
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java
>>> URL:
>>> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java?rev=888946&r1=888945&r2=888946&view=diff
>>>
>>> ==============================================================================
>>> ---
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java
>>> (original)
>>> +++
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java
>>> Wed Dec 9 20:28:13 2009
>>> @@ -391,7 +391,9 @@
>>>
>>> new Item("ImageSubmitDemo", "Submit with an Image Demo",
>>> "Make sure that submit with the image parameter set triggers the 'selected'
>>> event."),
>>>
>>> - new Item("SelectZoneDemo", "Select Zone Demo", "Use a Select
>>> component to update a zone.")
>>> + new Item("SelectZoneDemo", "Select Zone Demo", "Use a Select
>>> component to update a zone."),
>>> +
>>> + new Item("AssetProtectionDemo", "Asset Protection Demo",
>>> "AssetProtectionDispatcher is properly contributed and functioning")
>>>
>>> );
>>>
>>>
>>> Modified:
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
>>> URL:
>>> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java?rev=888946&r1=888945&r2=888946&view=diff
>>>
>>> ==============================================================================
>>> ---
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
>>> (original)
>>> +++
>>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
>>> Wed Dec 9 20:28:13 2009
>>> @@ -23,6 +23,7 @@
>>> import org.apache.tapestry5.ioc.MappedConfiguration;
>>> import org.apache.tapestry5.ioc.OrderedConfiguration;
>>> import org.apache.tapestry5.ioc.annotations.Marker;
>>> +import org.apache.tapestry5.ioc.annotations.Symbol;
>>> import org.apache.tapestry5.ioc.internal.util.CollectionFactory;
>>> import org.apache.tapestry5.services.*;
>>> import org.apache.tapestry5.test.JettyRunner;
>>> @@ -258,21 +259,9 @@
>>> configuration.add("ReverseStringsWorker", new
>>> ReverseStringsWorker());
>>> }
>>>
>>> - public static void contributeRegexAuthorizer(Configuration<String>
>>> configuration) {
>>> - //use this rather than a blanket regex (^.*.jpg$, etc.); want to
>>> be sure that tests pass from the default
>>> - //configuration setup, (eg: this way, I realized that the
>>> "virtual" assets folder
>>> - //needed to be opened up in the tapestry-provided contributions)
>>> rather than from some blanket configuration in the appmodule
>>> - //opening up all css, js, etc. files.
>>> - //would contribute to whitelist except that the resource path
>>> between ctxt and the rest of the path can change.
>>> - configuration.add("^ctx/[^/]+/css/app\\.css$");
>>> - configuration.add("^ctx/[^/]+/layout/style\\.css$");
>>> - configuration.add("^ctx/[^/]+/layout/images/bg\\.gif$");
>>> - configuration.add("^ctx/[^/]+/layout/images/header\\.gif$");
>>> - configuration.add("^ctx/[^/]+/layout/images/rightsmall\\.gif$");
>>> - configuration.add("^ctx/[^/]+/layout/images/rightbig\\.gif$");
>>> - configuration.add("^ctx/[^/]+/layout/images/bottom\\.gif$");
>>> - configuration.add("^ctx/[^/]+/layout/images/footer\\.gif$");
>>> - configuration.add("^ctx/[^/]+/images/tapestry_banner\\.gif$");
>>> - configuration.add("^ctx/[^/]+/images/asf_logo_wide\\.gif$");
>>> + public static void contributeWhitelistAuthorizer(
>>> + Configuration<String> configuration,
>>> + @Symbol(SymbolConstants.APPLICATION_VERSION) String
>>> appVersion) {
>>> + configuration.add("ctx/" + appVersion + "/availablefile.txt");
>>> }
>>> }
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: dev-help@tapestry.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: dev-help@tapestry.apache.org
>
>
--
Howard M. Lewis Ship
Creator of Apache Tapestry
The source for Tapestry training, mentoring and support. Contact me to
learn how I can get you up and productive in Tapestry fast!
(971) 678-5210
http://howardlewisship.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
Re: svn commit: r888946 - in /tapestry/tapestry5/trunk/tapestry-core/src:
main/java/org/apache/tapestry5/ main/java/org/apache/tapestry5/internal/services/
main/java/org/apache/tapestry5/services/ test/app1/ test/java/org/apache/tapestry5/integration
Posted by Howard Lewis Ship <hl...@gmail.com>.
See and I think that's just backwards. Yes its unfortunate that you
can access the contents of WEB-INF (this was not intentional, clearly
a bug), but the solution, then, is to not allow access to the contents
of WEB-INF, rather than require the white-listing of everything not in
WEB-INF.
I'd rather see some code that checked to see if the incoming asset
path was for contents inside WEB-INF and 404 that. That's something
hard and fast that can be written in code.
On Thu, Dec 10, 2009 at 4:56 PM, Robert Zeigler <ro...@scazdl.org> wrote:
> So it turns out that 5.0 and >5.1 handle context assets differently.
>
> In 5.0, a reference like ${asset:context:foo.txt} will generate a URL like:
> http://domain/context/foo.txt
>
> In 5.1, the same reference generates a URL like:
> http://domain/context/assets/ctx/appversion/foo.txt
>
> Urls like:
> http://domain/context/foo.txt
>
> still work, of course. The disconcerting thing is that:
> http://domain/context/assets/ctx/appversion/WEB-INF/
>
> also works.
> And so does:
> http://domain/context/assets/ctx/WEB-INF/web.xml
>
> And so forth.
>
> So we absolutely have to monitor assets of type ctx just like we monitor any
> other asset request (and a contribution like: "^ctx.*$" is no good, either.
> ;).
>
> Instead, we have a contribution that opens up context assets of type .js,
> .css, .jpeg, .jpg, .png.... in other words, the most common cases.
> It's easy enough to add additional contributions.
>
> But it was important to me that it be just as easy to turn off the
> contribution. Because although context assets are available by default,
> it's certainly possible to secure them, as well (via web.xml, and other
> mechanisms). So I felt it important that the default contribution be easily
> turned off.
>
> I'm willing to be wrong on this, but, I'm not convinced, yet. ;)
>
> Robert
>
> On Dec 10, 2009, at 12/104:19 PM , Howard Lewis Ship wrote:
>
>> Right, so again, where's the need to restrict the context coming from?
>> I don't like this.
>>
>> On Thu, Dec 10, 2009 at 1:39 PM, Thiago H. de Paula Figueiredo
>> <th...@gmail.com> wrote:
>>>
>>> Em Thu, 10 Dec 2009 19:26:40 -0200, Howard Lewis Ship <hl...@gmail.com>
>>> escreveu:
>>>
>>>> I still don't get why context assets, outside of WEB-INF, should ever
>>>> be restricted? Did I miss that conversation?
>>>
>>> This was discussed yesterday. I'm also late to it. :( I think that
>>> Tapestry
>>> should come with reasonable defaults out of the box, and restricting
>>> context
>>> assets isn't reasonable, as they're accessible in a pure servlet
>>> application. Anyway, if something is in the context and isn't below
>>> WEB-INF,
>>> it is meant to be public. The original problem was classpath files being
>>> accessible by default.
>>>
>>> --
>>> Thiago H. de Paula Figueiredo
>>> Independent Java, Apache Tapestry 5 and Hibernate consultant, developer,
>>> and
>>> instructor
>>> Owner, software architect and developer, Ars Machina Tecnologia da
>>> Informação Ltda.
>>> http://www.arsmachina.com.br
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
>>> For additional commands, e-mail: dev-help@tapestry.apache.org
>>>
>>>
>>
>>
>>
>> --
>> Howard M. Lewis Ship
>>
>> Creator of Apache Tapestry
>>
>> The source for Tapestry training, mentoring and support. Contact me to
>> learn how I can get you up and productive in Tapestry fast!
>>
>> (971) 678-5210
>> http://howardlewisship.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: dev-help@tapestry.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: dev-help@tapestry.apache.org
>
>
--
Howard M. Lewis Ship
Creator of Apache Tapestry
The source for Tapestry training, mentoring and support. Contact me to
learn how I can get you up and productive in Tapestry fast!
(971) 678-5210
http://howardlewisship.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
Re: svn commit: r888946 - in /tapestry/tapestry5/trunk/tapestry-core/src: main/java/org/apache/tapestry5/ main/java/org/apache/tapestry5/internal/services/ main/java/org/apache/tapestry5/services/ test/app1/ test/java/org/apache/tapestry5/integration
Posted by Robert Zeigler <ro...@scazdl.org>.
So it turns out that 5.0 and >5.1 handle context assets differently.
In 5.0, a reference like ${asset:context:foo.txt} will generate a URL
like:
http://domain/context/foo.txt
In 5.1, the same reference generates a URL like:
http://domain/context/assets/ctx/appversion/foo.txt
Urls like:
http://domain/context/foo.txt
still work, of course. The disconcerting thing is that:
http://domain/context/assets/ctx/appversion/WEB-INF/
also works.
And so does:
http://domain/context/assets/ctx/WEB-INF/web.xml
And so forth.
So we absolutely have to monitor assets of type ctx just like we
monitor any other asset request (and a contribution like: "^ctx.*$" is
no good, either. ;).
Instead, we have a contribution that opens up context assets of
type .js, .css, .jpeg, .jpg, .png.... in other words, the most common
cases.
It's easy enough to add additional contributions.
But it was important to me that it be just as easy to turn off the
contribution. Because although context assets are available by
default, it's certainly possible to secure them, as well (via web.xml,
and other mechanisms). So I felt it important that the default
contribution be easily turned off.
I'm willing to be wrong on this, but, I'm not convinced, yet. ;)
Robert
On Dec 10, 2009, at 12/104:19 PM , Howard Lewis Ship wrote:
> Right, so again, where's the need to restrict the context coming from?
> I don't like this.
>
> On Thu, Dec 10, 2009 at 1:39 PM, Thiago H. de Paula Figueiredo
> <th...@gmail.com> wrote:
>> Em Thu, 10 Dec 2009 19:26:40 -0200, Howard Lewis Ship <hlship@gmail.com
>> >
>> escreveu:
>>
>>> I still don't get why context assets, outside of WEB-INF, should
>>> ever
>>> be restricted? Did I miss that conversation?
>>
>> This was discussed yesterday. I'm also late to it. :( I think that
>> Tapestry
>> should come with reasonable defaults out of the box, and
>> restricting context
>> assets isn't reasonable, as they're accessible in a pure servlet
>> application. Anyway, if something is in the context and isn't below
>> WEB-INF,
>> it is meant to be public. The original problem was classpath files
>> being
>> accessible by default.
>>
>> --
>> Thiago H. de Paula Figueiredo
>> Independent Java, Apache Tapestry 5 and Hibernate consultant,
>> developer, and
>> instructor
>> Owner, software architect and developer, Ars Machina Tecnologia da
>> Informação Ltda.
>> http://www.arsmachina.com.br
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: dev-help@tapestry.apache.org
>>
>>
>
>
>
> --
> Howard M. Lewis Ship
>
> Creator of Apache Tapestry
>
> The source for Tapestry training, mentoring and support. Contact me to
> learn how I can get you up and productive in Tapestry fast!
>
> (971) 678-5210
> http://howardlewisship.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: dev-help@tapestry.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
Re: svn commit: r888946 - in /tapestry/tapestry5/trunk/tapestry-core/src:
main/java/org/apache/tapestry5/ main/java/org/apache/tapestry5/internal/services/
main/java/org/apache/tapestry5/services/ test/app1/ test/java/org/apache/tapestry5/integration
Posted by Howard Lewis Ship <hl...@gmail.com>.
Right, so again, where's the need to restrict the context coming from?
I don't like this.
On Thu, Dec 10, 2009 at 1:39 PM, Thiago H. de Paula Figueiredo
<th...@gmail.com> wrote:
> Em Thu, 10 Dec 2009 19:26:40 -0200, Howard Lewis Ship <hl...@gmail.com>
> escreveu:
>
>> I still don't get why context assets, outside of WEB-INF, should ever
>> be restricted? Did I miss that conversation?
>
> This was discussed yesterday. I'm also late to it. :( I think that Tapestry
> should come with reasonable defaults out of the box, and restricting context
> assets isn't reasonable, as they're accessible in a pure servlet
> application. Anyway, if something is in the context and isn't below WEB-INF,
> it is meant to be public. The original problem was classpath files being
> accessible by default.
>
> --
> Thiago H. de Paula Figueiredo
> Independent Java, Apache Tapestry 5 and Hibernate consultant, developer, and
> instructor
> Owner, software architect and developer, Ars Machina Tecnologia da
> Informação Ltda.
> http://www.arsmachina.com.br
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: dev-help@tapestry.apache.org
>
>
--
Howard M. Lewis Ship
Creator of Apache Tapestry
The source for Tapestry training, mentoring and support. Contact me to
learn how I can get you up and productive in Tapestry fast!
(971) 678-5210
http://howardlewisship.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
Re: svn commit: r888946 - in
/tapestry/tapestry5/trunk/tapestry-core/src: main/java/org/apache/tapestry5/
main/java/org/apache/tapestry5/internal/services/
main/java/org/apache/tapestry5/services/ test/app1/
test/java/org/apache/tapestry5/integration
Posted by "Thiago H. de Paula Figueiredo" <th...@gmail.com>.
Em Thu, 10 Dec 2009 19:26:40 -0200, Howard Lewis Ship <hl...@gmail.com>
escreveu:
> I still don't get why context assets, outside of WEB-INF, should ever
> be restricted? Did I miss that conversation?
This was discussed yesterday. I'm also late to it. :( I think that
Tapestry should come with reasonable defaults out of the box, and
restricting context assets isn't reasonable, as they're accessible in a
pure servlet application. Anyway, if something is in the context and isn't
below WEB-INF, it is meant to be public. The original problem was
classpath files being accessible by default.
--
Thiago H. de Paula Figueiredo
Independent Java, Apache Tapestry 5 and Hibernate consultant, developer,
and instructor
Owner, software architect and developer, Ars Machina Tecnologia da
Informação Ltda.
http://www.arsmachina.com.br
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org