You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by kranga <kr...@k2d2.org> on 2005/01/07 18:43:57 UTC
Page render time in source code (and generator meta tag)
1) What exactly does the page render time measure? Time from request being
received to time when response started to stream to client? Does tapestry
buffer the full response before sending it out? Does the time also include
sending the stream till the last bit (because on a slow connection, that
will report an incorrect value).
2) How do I stop the generator meta tag from being displayed? I don't want
the world to know that the application uses Tapestry for obvious security
reasons...
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
Re: Page render time in source code (and generator meta tag)
Posted by Erik Hatcher <er...@ehatchersolutions.com>.
On Jan 7, 2005, at 1:35 PM, kranga wrote:
> I agree with everything you have said. However, when dealing with IT
> department regulations, arguments will not help. Do you know how to
> take the
> generator tag out?
Don't use the @Shell component - thats the only way to do it, or modify
Tapestry's source code.
Erik
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
Re: Page render time in source code (and generator meta tag)
Posted by kranga <kr...@k2d2.org>.
I agree with everything you have said. However, when dealing with IT
department regulations, arguments will not help. Do you know how to take the
generator tag out?
H.L. Ship, please shed some light...
----- Original Message -----
From: "Jim Zajkowski" <ji...@jimz.net>
To: "Tapestry users" <ta...@jakarta.apache.org>
Sent: Friday, January 07, 2005 12:57 PM
Subject: Re: Page render time in source code (and generator meta tag)
> On Jan 7, 2005, at 12:43 PM, kranga wrote:
>
> > I don't want the world to know that the application uses Tapestry for
> > obvious security reasons...
>
> Personally, I can't think of an obvious security reason.
>
> From my experience, attackers usually fall into three categories:
> motivated but not skilled; the motivated, professional sophisticated
> attacker; and insiders.
>
> Generally speaking, the first group will try every wrench they know,
> and it doesn't matter if you tell them you're using Tapestry or not. I
> think anyone who has dumb IIS exploits appearing in their apache logs
> knows about this.
>
> Or the attacker is sophisticated and will be able to figure it out
> either way. They may be financially motivated or funded. You really
> won't be able to hide what your back-end is using from them, and they
> may not need to know.
>
> TCP fingerprinting can reveal a host's operating system. HTTP headers,
> URLs, form names, and other protocol bits all dead give-aways.
>
> --Jim
>
> --
> Jim Zajkowski OpenPGP 0x21135C3 http://www.jimz.net/pgp.asc
> System Administrator 8A9E 1DDF 944D 83C3 AEAB 8F74 8697 A823 2113 5C53
> UM Life Sciences Institute
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
Re: Page render time in source code (and generator meta tag)
Posted by Jim Zajkowski <ji...@jimz.net>.
On Jan 7, 2005, at 12:43 PM, kranga wrote:
> I don't want the world to know that the application uses Tapestry for
> obvious security reasons...
Personally, I can't think of an obvious security reason.
From my experience, attackers usually fall into three categories:
motivated but not skilled; the motivated, professional sophisticated
attacker; and insiders.
Generally speaking, the first group will try every wrench they know,
and it doesn't matter if you tell them you're using Tapestry or not. I
think anyone who has dumb IIS exploits appearing in their apache logs
knows about this.
Or the attacker is sophisticated and will be able to figure it out
either way. They may be financially motivated or funded. You really
won't be able to hide what your back-end is using from them, and they
may not need to know.
TCP fingerprinting can reveal a host's operating system. HTTP headers,
URLs, form names, and other protocol bits all dead give-aways.
--Jim
--
Jim Zajkowski OpenPGP 0x21135C3 http://www.jimz.net/pgp.asc
System Administrator 8A9E 1DDF 944D 83C3 AEAB 8F74 8697 A823 2113 5C53
UM Life Sciences Institute
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
Re: Page render time in source code (and generator meta tag)
Posted by Paul Ferraro <pm...@columbia.edu>.
kranga wrote:
>1) What exactly does the page render time measure?
>
The duration of the Shell component's render cycle.
> Time from request being
>received to time when response started to stream to client?
>
The measured time has only relative meaning since it will most likely
include a mix of both buffering and streaming.
Determining when streaming actually happens is somewhat complicated
since there is buffering happening all over the place:
* the AbstractMarkupWriter internally uses a BufferedWriter
* the ResponseOutputStream (wraps ServletOutputStream) has a default
max buffer size of 2000 and defers the opening of the ServletOutputStream.
* the Body component buffers its entire output
* your servlet container's ServletOutputStream implementation may also
choose to implement its own buffering.
> Does tapestry
>buffer the full response before sending it out?
>
No - although the Body component buffers it's full output.
> Does the time also include
>sending the stream till the last bit (because on a slow connection, that
>will report an incorrect value).
>
>
>
No - the Shell component does not flush its HTMLMarkupWriter.
>2) How do I stop the generator meta tag from being displayed? I don't want
>the world to know that the application uses Tapestry for obvious security
>reasons...
>
>
>
The generator meta tag as well as header/footer comments are generated
by the Shell component.
The only way to omit these is to not use the Shell component. Writing
your own is fairly trivial.
Paul
>Thanks
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org