You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by angelochen <an...@yahoo.com.hk> on 2011/12/08 10:24:03 UTC
pagecatalog still visible in production mode
hi,
setting production mode to true in 5.3, servicestatus not show details, but
pagecatalog still shows everything.
what's the easy way to turn this off? Thanks,
angelo
--
View this message in context: http://tapestry.1045711.n5.nabble.com/pagecatalog-still-visible-in-production-mode-tp5058173p5058173.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: pagecatalog still visible in production mode
Posted by Bob Harner <bo...@gmail.com>.
Bob Harner
On Dec 8, 2011 10:11 PM, "Martin Strand" <do...@gmail.com>
wrote:
> You could configure your servlet container so that it doesn't return the
> proxy IP as request.remoteAddr, but instead uses the X-Forwarded-For header
> and returns the real client IP.
>
> For Jetty, this is just a matter of setting forwarded=true on the connector
> http://wiki.eclipse.org/Jetty/**Howto/Configure_mod_proxy#**
> Configuring_mod_proxy_as_a_**Reverse_Proxy.5D<http://wiki.eclipse.org/Jetty/Howto/Configure_mod_proxy#Configuring_mod_proxy_as_a_Reverse_Proxy.5D>
> :
>
>
> On Fri, 09 Dec 2011 03:59:13 +0100, angelochen <an...@yahoo.com.hk>
> wrote:
>
> I'd prefer this to have the same behavior as servicestatus, I discovered
>> this
>> when I rolled out a production version:
>>
>> example.com:8080/pagecatalog this works
>> example.com/pagecatalog this shows everything
>>
>> because in the server, apache server is used to proxy to tomcat, and t5
>> sees
>> it as localhost, that's whitelisted.
>>
>>
>> Howard Lewis Ship wrote
>>
>>>
>>> Try accessing PageCatalog from beyond your localhost ... localhost is
>>> "white listed", other IP addresses are not on the white list unless
>>> you make a specific contribution.
>>>
>>> See:
>>>
>>>
>>> http://tapestry.apache.org/**current/apidocs/org/apache/**
>>> tapestry5/annotations/**WhitelistAccessOnly.html<http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/annotations/WhitelistAccessOnly.html>
>>>
>>> http://tapestry.apache.org/**current/apidocs/org/apache/**
>>> tapestry5/services/security/**ClientWhitelist.html<http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/services/security/ClientWhitelist.html>
>>>
>>> On Thu, Dec 8, 2011 at 1:24 AM, angelochen <angelochen960@.com>
>>> wrote:
>>>
>>>> hi,
>>>> setting production mode to true in 5.3, servicestatus not show details,
>>>> but
>>>> pagecatalog still shows everything.
>>>> what's the easy way to turn this off? Thanks,
>>>> angelo
>>>>
>>>> --
>>>> View this message in context:
>>>> http://tapestry.1045711.n5.**nabble.com/pagecatalog-still-**
>>>> visible-in-production-mode-**tp5058173p5058173.html<http://tapestry.1045711.n5.nabble.com/pagecatalog-still-visible-in-production-mode-tp5058173p5058173.html>
>>>> Sent from the Tapestry - User mailing list archive at Nabble.com.
>>>>
>>>> ------------------------------**------------------------------**
>>>> ---------
>>>> To unsubscribe, e-mail: users-unsubscribe@.apache
>>>> For additional commands, e-mail: users-help@.apache
>>>>
>>>>
>>>
>>>
>>> --
>>> Howard M. Lewis Ship
>>>
>>> Creator of Apache Tapestry
>>>
>>> The source for Tapestry training, mentoring and support. Contact me to
>>> learn how I can get you up and productive in Tapestry fast!
>>>
>>> (971) 678-5210
>>> http://howardlewisship.com
>>>
>>> ------------------------------**------------------------------**
>>> ---------
>>> To unsubscribe, e-mail: users-unsubscribe@.apache
>>> For additional commands, e-mail: users-help@.apache
>>>
>>>
>>
>> --
>> View this message in context: http://tapestry.1045711.n5.**
>> nabble.com/pagecatalog-still-**visible-in-production-mode-**
>> tp5058173p5060616.html<http://tapestry.1045711.n5.nabble.com/pagecatalog-still-visible-in-production-mode-tp5058173p5060616.html>
>> Sent from the Tapestry - User mailing list archive at Nabble.com.
>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.**apache.org<us...@tapestry.apache.org>
>> For additional commands, e-mail: users-help@tapestry.apache.org
>>
>>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.**apache.org<us...@tapestry.apache.org>
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
Re: pagecatalog still visible in production mode
Posted by Martin Strand <do...@gmail.com>.
You could configure your servlet container so that it doesn't return the proxy IP as request.remoteAddr, but instead uses the X-Forwarded-For header and returns the real client IP.
For Jetty, this is just a matter of setting forwarded=true on the connector
http://wiki.eclipse.org/Jetty/Howto/Configure_mod_proxy#Configuring_mod_proxy_as_a_Reverse_Proxy.5D:
On Fri, 09 Dec 2011 03:59:13 +0100, angelochen <an...@yahoo.com.hk> wrote:
> I'd prefer this to have the same behavior as servicestatus, I discovered this
> when I rolled out a production version:
>
> example.com:8080/pagecatalog this works
> example.com/pagecatalog this shows everything
>
> because in the server, apache server is used to proxy to tomcat, and t5 sees
> it as localhost, that's whitelisted.
>
>
> Howard Lewis Ship wrote
>>
>> Try accessing PageCatalog from beyond your localhost ... localhost is
>> "white listed", other IP addresses are not on the white list unless
>> you make a specific contribution.
>>
>> See:
>>
>>
>> http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/annotations/WhitelistAccessOnly.html
>>
>> http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/services/security/ClientWhitelist.html
>>
>> On Thu, Dec 8, 2011 at 1:24 AM, angelochen <angelochen960@.com>
>> wrote:
>>> hi,
>>> setting production mode to true in 5.3, servicestatus not show details,
>>> but
>>> pagecatalog still shows everything.
>>> what's the easy way to turn this off? Thanks,
>>> angelo
>>>
>>> --
>>> View this message in context:
>>> http://tapestry.1045711.n5.nabble.com/pagecatalog-still-visible-in-production-mode-tp5058173p5058173.html
>>> Sent from the Tapestry - User mailing list archive at Nabble.com.
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@.apache
>>> For additional commands, e-mail: users-help@.apache
>>>
>>
>>
>>
>> --
>> Howard M. Lewis Ship
>>
>> Creator of Apache Tapestry
>>
>> The source for Tapestry training, mentoring and support. Contact me to
>> learn how I can get you up and productive in Tapestry fast!
>>
>> (971) 678-5210
>> http://howardlewisship.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@.apache
>> For additional commands, e-mail: users-help@.apache
>>
>
>
> --
> View this message in context: http://tapestry.1045711.n5.nabble.com/pagecatalog-still-visible-in-production-mode-tp5058173p5060616.html
> Sent from the Tapestry - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: pagecatalog still visible in production mode
Posted by angelochen <an...@yahoo.com.hk>.
I'd prefer this to have the same behavior as servicestatus, I discovered this
when I rolled out a production version:
example.com:8080/pagecatalog this works
example.com/pagecatalog this shows everything
because in the server, apache server is used to proxy to tomcat, and t5 sees
it as localhost, that's whitelisted.
Howard Lewis Ship wrote
>
> Try accessing PageCatalog from beyond your localhost ... localhost is
> "white listed", other IP addresses are not on the white list unless
> you make a specific contribution.
>
> See:
>
>
> http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/annotations/WhitelistAccessOnly.html
>
> http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/services/security/ClientWhitelist.html
>
> On Thu, Dec 8, 2011 at 1:24 AM, angelochen <angelochen960@.com>
> wrote:
>> hi,
>> setting production mode to true in 5.3, servicestatus not show details,
>> but
>> pagecatalog still shows everything.
>> what's the easy way to turn this off? Thanks,
>> angelo
>>
>> --
>> View this message in context:
>> http://tapestry.1045711.n5.nabble.com/pagecatalog-still-visible-in-production-mode-tp5058173p5058173.html
>> Sent from the Tapestry - User mailing list archive at Nabble.com.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@.apache
>> For additional commands, e-mail: users-help@.apache
>>
>
>
>
> --
> Howard M. Lewis Ship
>
> Creator of Apache Tapestry
>
> The source for Tapestry training, mentoring and support. Contact me to
> learn how I can get you up and productive in Tapestry fast!
>
> (971) 678-5210
> http://howardlewisship.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@.apache
> For additional commands, e-mail: users-help@.apache
>
--
View this message in context: http://tapestry.1045711.n5.nabble.com/pagecatalog-still-visible-in-production-mode-tp5058173p5060616.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: pagecatalog still visible in production mode
Posted by Howard Lewis Ship <hl...@gmail.com>.
Just added a FAQ for this; will show up live in a couple of hours.
On Fri, Dec 9, 2011 at 10:08 AM, Howard Lewis Ship <hl...@gmail.com> wrote:
> You can do this:
>
> @Contribute(ClientWhitelist.class)
> public static void
> overrideWhiteList(OrderedConfiguration<WhitelistAnalyzer>
> configuration, @Symbol(SymbolConstants.PRODUCTION_MODE) boolean
> productionMode)
> {
> if (productionMode) { configuration.override("LocalhostOnly", null); }
> }
>
>
> This is kind of neat, and an example of why configuring in code is
> better than XML ... here, only in production mode we override the
> built-in "LocalhostOnly" contribution to null, effectively removing
> it.
>
> On Thu, Dec 8, 2011 at 3:42 PM, Martin Strand
> <do...@gmail.com> wrote:
>> If I'm not mistaken there is no way to remove a contribution.
>> So if a proxy or load balancer were to mess up Request.getRemoteAddr(), you
>> would have to decorate ClientWhitelist to remove the localhost whitelisting,
>> right?
>>
>>
>> On Thu, 08 Dec 2011 16:29:43 +0100, Howard Lewis Ship <hl...@gmail.com>
>> wrote:
>>
>>> Try accessing PageCatalog from beyond your localhost ... localhost is
>>> "white listed", other IP addresses are not on the white list unless
>>> you make a specific contribution.
>>>
>>> See:
>>>
>>>
>>> http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/annotations/WhitelistAccessOnly.html
>>>
>>> http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/services/security/ClientWhitelist.html
>>>
>>> On Thu, Dec 8, 2011 at 1:24 AM, angelochen <an...@yahoo.com.hk>
>>> wrote:
>>>>
>>>> hi,
>>>> setting production mode to true in 5.3, servicestatus not show details,
>>>> but
>>>> pagecatalog still shows everything.
>>>> what's the easy way to turn this off? Thanks,
>>>> angelo
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: users-help@tapestry.apache.org
>>
>
>
>
> --
> Howard M. Lewis Ship
>
> Creator of Apache Tapestry
>
> The source for Tapestry training, mentoring and support. Contact me to
> learn how I can get you up and productive in Tapestry fast!
>
> (971) 678-5210
> http://howardlewisship.com
--
Howard M. Lewis Ship
Creator of Apache Tapestry
The source for Tapestry training, mentoring and support. Contact me to
learn how I can get you up and productive in Tapestry fast!
(971) 678-5210
http://howardlewisship.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: pagecatalog still visible in production mode
Posted by Howard Lewis Ship <hl...@gmail.com>.
You can do this:
@Contribute(ClientWhitelist.class)
public static void
overrideWhiteList(OrderedConfiguration<WhitelistAnalyzer>
configuration, @Symbol(SymbolConstants.PRODUCTION_MODE) boolean
productionMode)
{
if (productionMode) { configuration.override("LocalhostOnly", null); }
}
This is kind of neat, and an example of why configuring in code is
better than XML ... here, only in production mode we override the
built-in "LocalhostOnly" contribution to null, effectively removing
it.
On Thu, Dec 8, 2011 at 3:42 PM, Martin Strand
<do...@gmail.com> wrote:
> If I'm not mistaken there is no way to remove a contribution.
> So if a proxy or load balancer were to mess up Request.getRemoteAddr(), you
> would have to decorate ClientWhitelist to remove the localhost whitelisting,
> right?
>
>
> On Thu, 08 Dec 2011 16:29:43 +0100, Howard Lewis Ship <hl...@gmail.com>
> wrote:
>
>> Try accessing PageCatalog from beyond your localhost ... localhost is
>> "white listed", other IP addresses are not on the white list unless
>> you make a specific contribution.
>>
>> See:
>>
>>
>> http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/annotations/WhitelistAccessOnly.html
>>
>> http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/services/security/ClientWhitelist.html
>>
>> On Thu, Dec 8, 2011 at 1:24 AM, angelochen <an...@yahoo.com.hk>
>> wrote:
>>>
>>> hi,
>>> setting production mode to true in 5.3, servicestatus not show details,
>>> but
>>> pagecatalog still shows everything.
>>> what's the easy way to turn this off? Thanks,
>>> angelo
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
--
Howard M. Lewis Ship
Creator of Apache Tapestry
The source for Tapestry training, mentoring and support. Contact me to
learn how I can get you up and productive in Tapestry fast!
(971) 678-5210
http://howardlewisship.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: pagecatalog still visible in production mode
Posted by Martin Strand <do...@gmail.com>.
If I'm not mistaken there is no way to remove a contribution.
So if a proxy or load balancer were to mess up Request.getRemoteAddr(), you would have to decorate ClientWhitelist to remove the localhost whitelisting, right?
On Thu, 08 Dec 2011 16:29:43 +0100, Howard Lewis Ship <hl...@gmail.com> wrote:
> Try accessing PageCatalog from beyond your localhost ... localhost is
> "white listed", other IP addresses are not on the white list unless
> you make a specific contribution.
>
> See:
>
> http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/annotations/WhitelistAccessOnly.html
> http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/services/security/ClientWhitelist.html
>
> On Thu, Dec 8, 2011 at 1:24 AM, angelochen <an...@yahoo.com.hk> wrote:
>> hi,
>> setting production mode to true in 5.3, servicestatus not show details, but
>> pagecatalog still shows everything.
>> what's the easy way to turn this off? Thanks,
>> angelo
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: pagecatalog still visible in production mode
Posted by Howard Lewis Ship <hl...@gmail.com>.
Try accessing PageCatalog from beyond your localhost ... localhost is
"white listed", other IP addresses are not on the white list unless
you make a specific contribution.
See:
http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/annotations/WhitelistAccessOnly.html
http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/services/security/ClientWhitelist.html
On Thu, Dec 8, 2011 at 1:24 AM, angelochen <an...@yahoo.com.hk> wrote:
> hi,
> setting production mode to true in 5.3, servicestatus not show details, but
> pagecatalog still shows everything.
> what's the easy way to turn this off? Thanks,
> angelo
>
> --
> View this message in context: http://tapestry.1045711.n5.nabble.com/pagecatalog-still-visible-in-production-mode-tp5058173p5058173.html
> Sent from the Tapestry - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
--
Howard M. Lewis Ship
Creator of Apache Tapestry
The source for Tapestry training, mentoring and support. Contact me to
learn how I can get you up and productive in Tapestry fast!
(971) 678-5210
http://howardlewisship.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org