You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tapestry.apache.org by angelochen <an...@yahoo.com.hk> on 2011/12/07 10:56:29 UTC

T5.3: do we still need AssetProtectionDispatcher?

Hi,

Have been using Robert's AssetProtectionDispatcher to protect assets in the
versions prior to 5.3, do we still need that for 5.3?

Thanks,

Angelo

--
View this message in context: http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-tp5055048p5055048.html
Sent from the Tapestry - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: T5.3: do we still need AssetProtectionDispatcher?

Posted by angelochen <an...@yahoo.com.hk>.

Hi Robert,

Thanks for the confirmation, it has been so useful in securing my apps, 
would like to try that again when 5.3 is available.

Angelo

--
View this message in context: http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-tp5055048p5055819.html
Sent from the Tapestry - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: T5.3: do we still need AssetProtectionDispatcher?

Posted by Lenny Primak <lp...@hope.nyc.ny.us>.

Nope. It will not. 



On Dec 7, 2011, at 5:37 PM, "Martin Strand" <do...@gmail.com> wrote:

> What if there is no trailing slash, won't that give you a directory listing anyway?
> 
> 
> On Wed, 07 Dec 2011 22:29:45 +0100, Lenny Primak <lp...@hope.nyc.ny.us> wrote:
> 
>> Jira created: https://issues.apache.org/jira/browse/TAP5-1779
>> 
>> On Dec 7, 2011, at 2:25 PM, David Rees wrote:
>> 
>>> On Wed, Dec 7, 2011 at 10:53 AM, Lenny Primak <lp...@hope.nyc.ny.us> wrote:
>>>> You can still get a directory listing of assets, but you can't access them directly.
>>>> I have a fix in the flowlogix library for this, but perhaps I should file a JIRA...
>>> 
>>> Yeah, you should.  That's an information disclosure security bug...
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: T5.3: do we still need AssetProtectionDispatcher?

Posted by Martin Strand <do...@gmail.com>.

What if there is no trailing slash, won't that give you a directory listing anyway?


On Wed, 07 Dec 2011 22:29:45 +0100, Lenny Primak <lp...@hope.nyc.ny.us> wrote:

> Jira created: https://issues.apache.org/jira/browse/TAP5-1779
>
> On Dec 7, 2011, at 2:25 PM, David Rees wrote:
>
>> On Wed, Dec 7, 2011 at 10:53 AM, Lenny Primak <lp...@hope.nyc.ny.us> wrote:
>>> You can still get a directory listing of assets, but you can't access them directly.
>>> I have a fix in the flowlogix library for this, but perhaps I should file a JIRA...
>>
>> Yeah, you should.  That's an information disclosure security bug...

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: T5.3: do we still need AssetProtectionDispatcher?

Posted by Lenny Primak <lp...@hope.nyc.ny.us>.

Jira created: https://issues.apache.org/jira/browse/TAP5-1779

On Dec 7, 2011, at 2:25 PM, David Rees wrote:

> On Wed, Dec 7, 2011 at 10:53 AM, Lenny Primak <lp...@hope.nyc.ny.us> wrote:
>> You can still get a directory listing of assets, but you can't access them directly.
>> I have a fix in the flowlogix library for this, but perhaps I should file a JIRA...
> 
> Yeah, you should.  That's an information disclosure security bug...
> 
> -Dave
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: T5.3: do we still need AssetProtectionDispatcher?

Posted by David Rees <dr...@gmail.com>.

On Wed, Dec 7, 2011 at 10:53 AM, Lenny Primak <lp...@hope.nyc.ny.us> wrote:
> You can still get a directory listing of assets, but you can't access them directly.
> I have a fix in the flowlogix library for this, but perhaps I should file a JIRA...

Yeah, you should.  That's an information disclosure security bug...

-Dave

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: T5.3: do we still need AssetProtectionDispatcher?

Posted by angelochen <an...@yahoo.com.hk>.

Hi,

tried that and duplicated the issue, this is the same issue as in 5.2.6,
that's the reason I use Robert's AssetProtectionDispatcher, looks like 5.3
and 5.2.6 handle this same way, have tried your code and it works. hope
Robert will have his AssetProtectionDispatcher ready for 5.3 as well.

Thanks, angelo



lprimak wrote
> 
> You can still get a directory listing of assets, but you can't access them
> directly.
> I have a fix in the flowlogix library for this, but perhaps I should file
> a JIRA...
> 
> 
> On Dec 7, 2011, at 8:08 AM, Robert Zeigler wrote:
> 
>> I don't think so. Tapestry's default mechanisms are better now.  I think
>> my Dispatcher is still a bit more stringent and a bit more
>> configurable/flexible, but you shouldn't need it.  That said, I will
>> still go ahead and migrate the service to 5.3 for those who wish to
>> continue using it.
>> 
>> Robert
> 
> 
> 


--
View this message in context: http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-tp5055048p5057376.html
Sent from the Tapestry - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: T5.3: do we still need AssetProtectionDispatcher?

Posted by Lenny Primak <lp...@hope.nyc.ny.us>.

You can still get a directory listing of assets, but you can't access them directly.
I have a fix in the flowlogix library for this, but perhaps I should file a JIRA...

On Dec 7, 2011, at 8:08 AM, Robert Zeigler wrote:

> I don't think so. Tapestry's default mechanisms are better now.  I think my Dispatcher is still a bit more stringent and a bit more configurable/flexible, but you shouldn't need it.  That said, I will still go ahead and migrate the service to 5.3 for those who wish to continue using it.
> 
> Robert

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: T5.3: do we still need AssetProtectionDispatcher?

Posted by Robert Zeigler <ro...@roxanemy.com>.

I don't think so. Tapestry's default mechanisms are better now.  I think my Dispatcher is still a bit more stringent and a bit more configurable/flexible, but you shouldn't need it.  That said, I will still go ahead and migrate the service to 5.3 for those who wish to continue using it.

Robert

On Dec 7, 2011, at 12/73:56 AM , angelochen wrote:

> Hi,
> 
> Have been using Robert's AssetProtectionDispatcher to protect assets in the
> versions prior to 5.3, do we still need that for 5.3?
> 
> Thanks,
> 
> Angelo
> 
> --
> View this message in context: http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-tp5055048p5055048.html
> Sent from the Tapestry - User mailing list archive at Nabble.com.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org