You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Onno Scheffers <on...@piraya.nl> on 2009/08/26 16:10:17 UTC
Re: Securing files on the classpath/webapp context (was: Re: Running
Tapestry 5.0.18 on Google App Engine)
On Wed, Aug 26, 2009 at 3:57 PM, Ulrich Stärk <ul...@spielviel.de> wrote:
> I really like to hear what the other devs (apart from Thiago) are thinking
> about this, whether there are objections against what I proposed or if you
> think there are better solutions. This really needs fixing ASAP.
I think not even css-files, js-files and png-files should be whitelisted by
default to be honest. We already have a way of making such files public: put
them in the public web context.
If a Mixin, Component or Page includes a resources from the classpath, only
then that specific asset should be whitelisted (including its localized
alternatives if required).
regards,
Onno
Re: Securing files on the classpath/webapp context (was: Re: Running
Tapestry 5.0.18 on Google App Engine)
Posted by Onno Scheffers <on...@piraya.nl>.
>
> The Tapestry asset feature is used even when you use files from the context
> (asset:context:something.jpg).
Yes, but does that mean js-files and css-files etc. should be whitelisted by
default? Normally if Tapestry encounters an asset:-statement, it knows the
asset should be whitelisted. In this case the asset is already on the public
context path, so whitelisting is not even required.
> And assets provided by modules should go on the classpath, otherwise you
> would have to copy files from that module and put them in predefined
> folders, killing the very nice "drop a JAR in the classpath and it works
> automatically" feature for Tapestry.
That would still work, wouldn't it? I'm not claiming Tapestry cannot access
files on the classpath, so drop-in modules should still work. I'm just
claiming Tapestry shouldn't share those files with the rest of the world
unless specifically told to do so. Therefore components inside the module
can still include assets and when they do, they automatically whitelist
those assets.
regards,
Onno
Re: Securing files on the classpath/webapp context (was: Re: Running
Tapestry 5.0.18 on Google App Engine)
Posted by "Thiago H. de Paula Figueiredo" <th...@gmail.com>.
Em Wed, 26 Aug 2009 11:10:17 -0300, Onno Scheffers <on...@piraya.nl>
escreveu:
> I think not even css-files, js-files and png-files should be whitelisted
> by default to be honest. We already have a way of making such files
> public: put them in the public web context.
The Tapestry asset feature is used even when you use files from the
context (asset:context:something.jpg). And assets provided by modules
should go on the classpath, otherwise you would have to copy files from
that module and put them in predefined folders, killing the very nice
"drop a JAR in the classpath and it works automatically" feature for
Tapestry.
--
Thiago H. de Paula Figueiredo
Independent Java consultant, developer, and instructor
http://www.arsmachina.com.br/thiago
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org