You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by lo...@apache.org on 2018/04/19 11:33:53 UTC

[myfaces-tobago] branch master updated: Demo/Doc: Security

This is an automated email from the ASF dual-hosted git repository.

lofwyr pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/myfaces-tobago.git


The following commit(s) were added to refs/heads/master by this push:
     new 47f627a  Demo/Doc: Security
47f627a is described below

commit 47f627a1c1638e66e08c1f202286b4a49d825a13
Author: Udo Schnurpfeil <lo...@apache.org>
AuthorDate: Thu Apr 19 13:33:45 2018 +0200

    Demo/Doc: Security
---
 .../apache/myfaces/tobago/example/demo/Demo.xml    |  3 ++
 .../webapp/content/30-concept/77-focus/focus.xhtml | 15 +++----
 .../{ => 05-csp}/content-security-policy.xhtml     |  8 +++-
 .../80-security/{10 => 10-sanitize}/sanitize.xhtml |  8 ++--
 .../30-concept/80-security/20-roles/roles.xhtml    |  4 +-
 .../content/30-concept/80-security/security.xhtml  | 46 ++++++++++++++++++++++
 6 files changed, 70 insertions(+), 14 deletions(-)

diff --git a/tobago-example/tobago-example-demo/src/main/resources/org/apache/myfaces/tobago/example/demo/Demo.xml b/tobago-example/tobago-example-demo/src/main/resources/org/apache/myfaces/tobago/example/demo/Demo.xml
index c9be892..857952e 100644
--- a/tobago-example/tobago-example-demo/src/main/resources/org/apache/myfaces/tobago/example/demo/Demo.xml
+++ b/tobago-example/tobago-example-demo/src/main/resources/org/apache/myfaces/tobago/example/demo/Demo.xml
@@ -154,6 +154,9 @@
   <entry key="collapsible_section">Section</entry>
   <entry key="accessKey">Access Keys</entry>
   <entry key="dataAttribute">Data Attributes</entry>
+  <entry key="security">Security</entry>
+  <entry key="content_security_policy">Content Security Policy</entry>
+  <entry key="sanitize">Sanitize</entry>
   <entry key="roles">Roles</entry>
 
   <!-- navigate : deprecated -->
diff --git a/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/77-focus/focus.xhtml b/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/77-focus/focus.xhtml
index 4ee513d..1a2a74a 100644
--- a/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/77-focus/focus.xhtml
+++ b/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/77-focus/focus.xhtml
@@ -18,6 +18,7 @@
 -->
 
 <ui:composition template="/main.xhtml"
+                xmlns="http://www.w3.org/1999/xhtml"
                 xmlns:ui="http://java.sun.com/jsf/facelets">
   <ui:param name="title" value="Focus"/>
 
@@ -31,13 +32,13 @@
   </p>
   <p>
     The priority order is:
-    <ul>
-      <li>error (the first error element gets the focus)</li>
-      <li>auto (the element with the tobago tag attribute focus="true" gets the focus)</li>
-      <li>last (the element from the last request with same id gets the focus, not AJAX)</li>
-      <li>page (use the focusId attribute of the tc:page)</li>
-      <li>first (the first input element (without tabindex=-1) gets the focus, not AJAX)</li>
-    </ul>
   </p>
+  <ul>
+    <li>error (the first error element gets the focus)</li>
+    <li>auto (the element with the tobago tag attribute focus="true" gets the focus)</li>
+    <li>last (the element from the last request with same id gets the focus, not AJAX)</li>
+    <li>page (use the focusId attribute of the tc:page)</li>
+    <li>first (the first input element (without tabindex=-1) gets the focus, not AJAX)</li>
+  </ul>
 
 </ui:composition>
diff --git a/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/content-security-policy.xhtml b/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/05-csp/content-security-policy.xhtml
similarity index 89%
rename from tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/content-security-policy.xhtml
rename to tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/05-csp/content-security-policy.xhtml
index e634d51..b04da0e 100644
--- a/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/content-security-policy.xhtml
+++ b/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/05-csp/content-security-policy.xhtml
@@ -18,13 +18,14 @@
 -->
 
 <ui:composition template="/main.xhtml"
+                xmlns="http://www.w3.org/1999/xhtml"
                 xmlns:tc="http://myfaces.apache.org/tobago/component"
                 xmlns:ui="http://java.sun.com/jsf/facelets">
   <ui:param name="title" value="Content Security Policy"/>
 
   Tobago supports Content Security Policy (CSP) to prevent cross-site
   scripting (XSS) and related attacks.
-  <tc:link link="http://www.w3.org/TR/CSP/" label="Specification link"/>.
+  <tc:link link="http://www.w3.org/TR/CSP/" label="Specification link" image="fa-external-link"/>.
   In short: The HTML page doesn't contain any JavaScript or CSS information.
   All allowed sources for JavaScript, CSS and other resources have to be declared in special header.
   If you have own renderers or own JavaScript in your application, this code also needs to support SCP, to use this feature.
@@ -39,7 +40,8 @@
       <![CDATA[
       function cspDemo() {
         jQuery(Tobago.Utils.escapeClientId("page:panel")).html(
-            "<span style='color: #ff0000; font-weight: bold;'>Attention: When you can read this text, the content was manipulated by JavaScript."
+            "<span style='color: #ff0000; font-weight: bold;'>"
+            + "Attention: When you can read this text, the content was manipulated by JavaScript."
             + " It seems, your browser doesn't support CSP!</span>");
       }
 
@@ -50,4 +52,6 @@
 
   <h5 class="alert alert-danger">This example is currently not working!</h5>
 
+
+
 </ui:composition>
diff --git a/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/10/sanitize.xhtml b/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/10-sanitize/sanitize.xhtml
similarity index 76%
rename from tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/10/sanitize.xhtml
rename to tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/10-sanitize/sanitize.xhtml
index 1792ba6..2a9d5e0 100644
--- a/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/10/sanitize.xhtml
+++ b/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/10-sanitize/sanitize.xhtml
@@ -18,16 +18,18 @@
 -->
 
 <ui:composition template="/main.xhtml"
+                xmlns:tc="http://myfaces.apache.org/tobago/component"
                 xmlns:ui="http://java.sun.com/jsf/facelets"
                 xmlns="http://www.w3.org/1999/xhtml">
 
   <ui:param name="title" value="Sanitizer"/>
 
-  <p>
-    <b>Todo: </b>Explain the concept of the sanitizer. Short:
-  </p>
   <ul>
     <li>Filter all suspicious content from tc:textarea and tc:out with escape=false.</li>
+    <li>See <tc:link label="OWASP Java HTML Sanitizer Project"
+                     link="https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project"
+                     image="fa-external-link" /></li>
+    <li>The filter can be configured the <code>tobago-config.xml</code> file.</li>
   </ul>
 
 </ui:composition>
diff --git a/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/20-roles/roles.xhtml b/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/20-roles/roles.xhtml
index 546978e..8755846 100644
--- a/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/20-roles/roles.xhtml
+++ b/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/20-roles/roles.xhtml
@@ -24,8 +24,8 @@
   <ui:param name="title" value="#{demoBundle.roles}"/>
   <p>It is possible to define roles for users. Based on this roles, components with an <code>action</code> attribute
     like a button can be hidden or disabled for the current user.</p>
-  <p>The behavior can be defined in the <code>security-annotation</code> element in the 'tobago-config.xml'.
-    Posible values are 'hide', 'disable' and 'ignore'.</p>
+  <p>The behavior can be defined in the <code>security-annotation</code> element in the <code>tobago-config.xml</code>.
+    Posible values are <code>hide</code>, <code>disable</code> and <code>ignore</code>.</p>
 
   <tc:section label="Basics">
     <p>To allow an action only for a specific role, you have to annotate a method with
diff --git a/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/security.xhtml b/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/security.xhtml
new file mode 100644
index 0000000..8019102
--- /dev/null
+++ b/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/80-security/security.xhtml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+-->
+
+<ui:composition template="/main.xhtml"
+                xmlns="http://www.w3.org/1999/xhtml"
+                xmlns:tc="http://myfaces.apache.org/tobago/component"
+                xmlns:ui="http://java.sun.com/jsf/facelets">
+  <ui:param name="title" value="Security"/>
+
+  <p>
+    By using Java and JSF with Facelets you have a good base to build secure applications.
+    Tobago supports additional security concepts:
+  </p>
+  <ul>
+    <li><tc:link label="#{demoBundle.content_security_policy}"
+                 outcome="/content/30-concept/80-security/05-csp/content-security-policy.xhtml"/></li>
+    <li><tc:link label="#{demoBundle.sanitize}"
+                 outcome="/content/30-concept/80-security/10-sanitize/sanitize.xhtml"/> suspicious code.
+    </li>
+    <li>Checking annotated method calls for <tc:link label="#{demoBundle.roles}"
+                 outcome="/content/30-concept/80-security/20-roles/roles.xhtml"/>.</li>
+    <li>Setting HTTP headers <code>X-Frame-Options</code> and <code>X-Content-Type-Options</code></li>
+    <li>Using session secrects to avoid
+      <tc:link label="Cross-Site Request Forgery (CSRF)"
+    link="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)" image="fa-external-link" />.
+    This is configurable in the <code>tobago-config.xml</code></li>
+    <li>and some mottle features...</li>
+  </ul>
+
+</ui:composition>

-- 
To stop receiving notification emails like this one, please contact
lofwyr@apache.org.