You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by lo...@apache.org on 2017/09/20 08:21:58 UTC
[myfaces-tobago] branch master updated (d89db7b -> 3657a5e)
This is an automated email from the ASF dual-hosted git repository.
lofwyr pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/myfaces-tobago.git.
from d89db7b TOBAGO-1794: Deploy different versions of Tobago demo in the VM * update site
new bef7479 TOBAGO-1782: Clean up * remove deprecated class
new 3657a5e TOBAGO-1791: There should be a "nonce" for each request to protect CSS with CSP * using nonce only for inline src (also only for style, currently we have no inline scripts)
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../MetaInfResourcesClasspathResourceResolver.java | 75 ----------------------
.../renderkit/renderer/ScriptRenderer.java | 2 -
.../internal/renderkit/renderer/StyleRenderer.java | 1 -
.../src/main/resources/META-INF/tobago-config.xml | 4 +-
.../apache/myfaces/tobago/example/demo/Demo.xml | 12 ----
.../src/main/webapp/WEB-INF/web.xml | 5 --
.../50-migration/96-migration/migration40.xhtml | 31 +++++++--
.../facelets-as-resources.xhtml | 13 ++--
8 files changed, 34 insertions(+), 109 deletions(-)
delete mode 100644 tobago-core/src/main/java/org/apache/myfaces/tobago/facelets/MetaInfResourcesClasspathResourceResolver.java
--
To stop receiving notification emails like this one, please contact
['"commits@myfaces.apache.org" <co...@myfaces.apache.org>'].
[myfaces-tobago] 02/02: TOBAGO-1791: There should be a "nonce" for
each request to protect CSS with CSP * using nonce only for inline src
(also only for style, currently we have no inline scripts)
Posted by lo...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
lofwyr pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/myfaces-tobago.git
commit 3657a5e613961e04a6bc2c9cd0755a403cea0fac
Author: Udo Schnurpfeil <lo...@apache.org>
AuthorDate: Wed Sep 20 10:21:30 2017 +0200
TOBAGO-1791: There should be a "nonce" for each request to protect CSS with CSP
* using nonce only for inline src (also only for style, currently we have no inline scripts)
---
.../myfaces/tobago/internal/renderkit/renderer/ScriptRenderer.java | 2 --
.../myfaces/tobago/internal/renderkit/renderer/StyleRenderer.java | 1 -
tobago-core/src/main/resources/META-INF/tobago-config.xml | 4 +++-
3 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/renderkit/renderer/ScriptRenderer.java b/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/renderkit/renderer/ScriptRenderer.java
index c87fe2f..7b98399 100644
--- a/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/renderkit/renderer/ScriptRenderer.java
+++ b/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/renderkit/renderer/ScriptRenderer.java
@@ -20,7 +20,6 @@
package org.apache.myfaces.tobago.internal.renderkit.renderer;
import org.apache.myfaces.tobago.internal.component.AbstractUIScript;
-import org.apache.myfaces.tobago.internal.context.Nonce;
import org.apache.myfaces.tobago.renderkit.RendererBase;
import org.apache.myfaces.tobago.renderkit.html.HtmlAttributes;
import org.apache.myfaces.tobago.renderkit.html.HtmlElements;
@@ -44,7 +43,6 @@ public class ScriptRenderer extends RendererBase {
// XXX with defer activated, pages are not shown reliable
// writer.writeAttribute(HtmlAttributes.DEFER, true);
writer.writeAttribute(HtmlAttributes.TYPE, "text/javascript", false);
- writer.writeAttribute(HtmlAttributes.NONCE, Nonce.getNonce(facesContext), false);
writer.endElement(HtmlElements.SCRIPT);
}
diff --git a/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/renderkit/renderer/StyleRenderer.java b/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/renderkit/renderer/StyleRenderer.java
index 6a694a3..fbdb4a3 100644
--- a/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/renderkit/renderer/StyleRenderer.java
+++ b/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/renderkit/renderer/StyleRenderer.java
@@ -58,7 +58,6 @@ public class StyleRenderer extends RendererBase {
writer.writeAttribute(HtmlAttributes.HREF, file, true);
// writer.writeAttribute(HtmlAttributes.MEDIA, "screen", false);
writer.writeAttribute(HtmlAttributes.TYPE, "text/css", false);
- writer.writeAttribute(HtmlAttributes.NONCE, Nonce.getNonce(facesContext), false);
writer.endElement(HtmlElements.LINK);
} else {
diff --git a/tobago-core/src/main/resources/META-INF/tobago-config.xml b/tobago-core/src/main/resources/META-INF/tobago-config.xml
index 9979556..e6c046e 100644
--- a/tobago-core/src/main/resources/META-INF/tobago-config.xml
+++ b/tobago-core/src/main/resources/META-INF/tobago-config.xml
@@ -26,8 +26,10 @@
<name>tobago-config</name>
<content-security-policy mode="on">
+ <directive name="style-src">'unsafe-inline'</directive> <!-- is only active, when browser doesn't support nonce -->
<directive name="style-src">'nonce-${nonce}'</directive>
- <directive name="script-src">'nonce-${nonce}'</directive>
+ <directive name="style-src">'self'</directive>
+ <directive name="script-src">'self'</directive>
</content-security-policy>
</tobago-config>
--
To stop receiving notification emails like this one, please contact
"commits@myfaces.apache.org" <co...@myfaces.apache.org>.
[myfaces-tobago] 01/02: TOBAGO-1782: Clean up * remove deprecated
class
Posted by lo...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
lofwyr pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/myfaces-tobago.git
commit bef74799412633e1fb7477e3863699317d7e3dca
Author: Udo Schnurpfeil <lo...@apache.org>
AuthorDate: Wed Sep 20 09:23:25 2017 +0200
TOBAGO-1782: Clean up
* remove deprecated class
---
.../MetaInfResourcesClasspathResourceResolver.java | 75 ----------------------
.../apache/myfaces/tobago/example/demo/Demo.xml | 12 ----
.../src/main/webapp/WEB-INF/web.xml | 5 --
.../50-migration/96-migration/migration40.xhtml | 31 +++++++--
.../facelets-as-resources.xhtml | 13 ++--
5 files changed, 31 insertions(+), 105 deletions(-)
diff --git a/tobago-core/src/main/java/org/apache/myfaces/tobago/facelets/MetaInfResourcesClasspathResourceResolver.java b/tobago-core/src/main/java/org/apache/myfaces/tobago/facelets/MetaInfResourcesClasspathResourceResolver.java
deleted file mode 100644
index 92e11e6..0000000
--- a/tobago-core/src/main/java/org/apache/myfaces/tobago/facelets/MetaInfResourcesClasspathResourceResolver.java
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.myfaces.tobago.facelets;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.net.URL;
-
-/**
- * <p>
- * Provides facelets from the directory "META-INF/resources/" of any jar file in the classpath.
- * With the Servlet 3.0 specification this is no longer needed.
- * </p>
- * <p>
- * To configure this ResourceResolver put this code into the web.xml file:
- * </p>
- * <pre>
- * <context-param>
- * <param-name>javax.faces.FACELETS_RESOURCE_RESOLVER</param-name>
- * <param-value>
- * org.apache.myfaces.tobago.facelets.MetaInfResourcesClasspathResourceResolver
- * </param-value>
- * </context-param>
- * </pre>
- *
- * @deprecated since 3.0.0
- */
-@Deprecated
-public class MetaInfResourcesClasspathResourceResolver extends DefaultResourceResolver {
-
- private static final Logger LOG = LoggerFactory.getLogger(MetaInfResourcesClasspathResourceResolver.class);
-
- public MetaInfResourcesClasspathResourceResolver() {
- if (LOG.isDebugEnabled()) {
- LOG.debug("MetaInfResourcesClasspathResourceResolver is configured to resolve resources.");
- }
- }
-
- @Override
- public URL resolveUrl(final String path) {
- final URL defaultUrl = super.resolveUrl(path);
- if (defaultUrl != null) {
- if (LOG.isDebugEnabled()) {
- LOG.debug("default url='" + defaultUrl + "'");
- }
- return defaultUrl;
- }
-
- final String resource = "META-INF/resources/" + (path.startsWith("/") ? path.substring(1) : path);
-
- final URL classpathUrl = Thread.currentThread().getContextClassLoader().getResource(resource);
- if (LOG.isDebugEnabled()) {
- LOG.debug("classpath url='" + classpathUrl + "'");
- }
- return classpathUrl;
- }
-}
diff --git a/tobago-example/tobago-example-demo/src/main/resources/org/apache/myfaces/tobago/example/demo/Demo.xml b/tobago-example/tobago-example-demo/src/main/resources/org/apache/myfaces/tobago/example/demo/Demo.xml
index 6d2a04d..96ff088 100644
--- a/tobago-example/tobago-example-demo/src/main/resources/org/apache/myfaces/tobago/example/demo/Demo.xml
+++ b/tobago-example/tobago-example-demo/src/main/resources/org/apache/myfaces/tobago/example/demo/Demo.xml
@@ -404,18 +404,6 @@
The iterated components are on top of each other in the HTML document,
because they got have all the same position attributes.<br/></entry>
- <!-- faceletsAsResources -->
- <entry key="faceletsAsResources_text">
- This example demonstrates how to load parts of the view of an application from a library jar file.
- You have to define a context parameter in the web.xml:
-
- <context-param>
- <param-name>javax.faces.FACELETS_RESOURCE_RESOLVER</param-name>
- <param-value>org.apache.myfaces.tobago.facelets.MetaInfResourcesClasspathResourceResolver</param-value>
- </context-param>
-
- The content has to reside in the /META-INF/resources directory.</entry>
-
<entry key="format1">The equatorial radius of the sun is {0} km.</entry>
<entry key="format3">The temperature of the sun is {0} K on the surface, but {1} K in the center and {2} K in the corona.</entry>
<entry key="format9">Just reordering: {4} - {1} - {6} - {8} - {5} - {3} - {0} - {7} - {2}</entry>
diff --git a/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/web.xml b/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/web.xml
index 2c77ff2..65afe9f 100644
--- a/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/web.xml
+++ b/tobago-example/tobago-example-demo/src/main/webapp/WEB-INF/web.xml
@@ -54,11 +54,6 @@
</context-param>
<context-param>
- <param-name>javax.faces.FACELETS_RESOURCE_RESOLVER</param-name>
- <param-value>org.apache.myfaces.tobago.facelets.MetaInfResourcesClasspathResourceResolver</param-value>
- </context-param>
-
- <context-param>
<param-name>javax.faces.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL</param-name>
<param-value>true</param-value>
</context-param>
diff --git a/tobago-example/tobago-example-demo/src/main/webapp/content/10-intro/50-migration/96-migration/migration40.xhtml b/tobago-example/tobago-example-demo/src/main/webapp/content/10-intro/50-migration/96-migration/migration40.xhtml
index bb2a3dc..011caef 100644
--- a/tobago-example/tobago-example-demo/src/main/webapp/content/10-intro/50-migration/96-migration/migration40.xhtml
+++ b/tobago-example/tobago-example-demo/src/main/webapp/content/10-intro/50-migration/96-migration/migration40.xhtml
@@ -31,12 +31,14 @@
</p>
<ul>
- <li>Tag library</li>
- <li>CSS / Bootstrap</li>
- <li>Theme building</li>
+ <li><tc:link link="" fragment="page:mainForm:taglib" label="Tag library"/></li>
+ <li><tc:link link="" fragment="page:mainForm:css" label="CSS / Bootstrap"/></li>
+ <li><tc:link link="" fragment="page:mainForm:theme" label="Theme building"/></li>
+ <li><tc:link link="" fragment="page:mainForm:crlf" label="CRLF in textarea"/></li>
+ <li><tc:link link="" fragment="page:mainForm:resourceResolver" label="Removed class: MetaInfResourcesClasspathResourceResolver"/></li>
</ul>
- <tc:section label="Tag Library">
+ <tc:section id="taglib" label="Tag Library">
<tc:section label="ViewId over attribute "link"">
<p>
@@ -100,7 +102,7 @@
</tc:section>
</tc:section>
- <tc:section label="CSS / Bootstrap">
+ <tc:section id="css" label="CSS / Bootstrap">
<p>
The included Bootstrap CSS library has been updated from
<tc:link link="http://blog.getbootstrap.com/2016/10/19/bootstrap-4-alpha-5/" label="v4.0.0-alpha.5"/> to
@@ -126,7 +128,7 @@
</p>
</tc:section>
- <tc:section label="Theme building">
+ <tc:section id="theme" label="Theme building">
<p>
Building a theme is in general compatible, but if using the build mechanism of Tobago
(defined in the pom.xml of tobago-theme) it can be better automated.
@@ -135,7 +137,7 @@
</p>
</tc:section>
- <tc:section label="CRLF in textarea">
+ <tc:section id="crlf" label="CRLF in textarea">
<p>
CRLF in textarea will be converted to LF automatically to avoid inconsistencies with length validation.
If you need the old behaviour, set <code><decode-line-feed>false</decode-line-feed></code>
@@ -143,6 +145,21 @@
</p>
</tc:section>
+ <tc:section id="resourceResolver" label="Removed class: MetaInfResourcesClasspathResourceResolver">
+ <p>
+ The deprecated class <code>org.apache.myfaces.tobago.facelets.MetaInfResourcesClasspathResourceResolver</code>
+ has been removed, because it was no longer needed since Servelt 3.0.
+ You may remove this context parameter in your <code>web.xml</code>.
+ </p>
+
+ <pre><code class="language-markup"><context-param>
+ <param-name>javax.faces.FACELETS_RESOURCE_RESOLVER</param-name>
+ <param-value>org.apache.myfaces.tobago.facelets.MetaInfResourcesClasspathResourceResolver</param-value>
+</context-param>
+</code></pre>
+
+ </tc:section>
+
</tc:section>
diff --git a/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/25-facelets-as-resources/facelets-as-resources.xhtml b/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/25-facelets-as-resources/facelets-as-resources.xhtml
index 5256c1c..8a0ac14 100644
--- a/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/25-facelets-as-resources/facelets-as-resources.xhtml
+++ b/tobago-example/tobago-example-demo/src/main/webapp/content/30-concept/25-facelets-as-resources/facelets-as-resources.xhtml
@@ -19,19 +19,20 @@
<ui:composition template="/main.xhtml"
xmlns:tc="http://myfaces.apache.org/tobago/component"
- xmlns:ui="http://java.sun.com/jsf/facelets"
- xmlns:demo="http://myfaces.apache.org/tobago/example/demo">
+ xmlns:ui="http://java.sun.com/jsf/facelets">
<ui:param name="title" value="Loading Facelets from JARs"/>
<tc:panel>
<p>
- <span class="#{demo:bootstrapClass('BADGE')} #{demo:bootstrapClass('BADGE_DANGER')}">Warning!</span>
- <b>This page is out of date. This is no longer needed with Servlet 3.0.</b>
+ This example demonstrates how to load parts of the view of an application from a library JAR file.
+ The content has to reside in the <code>/META-INF/resources</code> directory of the JAR.
</p>
- <tc:out value="#{demoBundle.faceletsAsResources_text}"/>
+ <p>
+ The content of this box is included from the tobago-example-data JAR.
+ </p>
- <tc:box label="This content is included from a JAR.">
+ <tc:box label="Included content">
<ui:include src="/data/edit-solar.xhtml"/>
--
To stop receiving notification emails like this one, please contact
"commits@myfaces.apache.org" <co...@myfaces.apache.org>.