You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Borut Bolčina <bo...@gmail.com> on 2013/04/02 08:19:58 UTC
Re: Configuring pages to be "invisible"
Alejandro,
I have just tried this approach with factory chains, but the solution still
eludes me. I've tried "every" variation of creating the right chain for
ruling out the index page and all other subfolders - besides one folder.
This configuration is the closest of what I think should do the job:
configuration.add(factory.createChain("/index").add(factory.notfound()).build());
configuration.add(factory.createChain("/hidden1/**").add(factory.notfound()).build());
configuration.add(factory.createChain("/hidden2/**").add(factory.notfound()).build());
but accessing http://localhost (or http://localhost/index) still renders
the index page and the hidden pages.
If I remove the first line (with /index), then I get 404 as expected for
the hidden folders, but the index page is visible.
I am running the app locally with Jetty
(jetty-maven-plugin:8.1.9.v20130131).
-borut
2013/3/29 Alejandro Scandroli <al...@gmail.com>
> Hi Borut
>
> Using tapestry-security you have a couple of options.
>
> If you have all the protected/hidden pages in the same folder you
> could do something like this:
>
>
> configuration.add(factory.createChain("/yourfolder/**").add(factory.notfound()).build());
>
> If they are not in the same folder you can create one rule per folder
> or in the worst case one rule per page.
>
> The reversed logic would be, block access to the root "/" and then
> give anon access to your visible pages.
>
>
> configuration.add(factory.createChain("/assets/**").add(factory.anon()).build());
>
> configuration.add(factory.createChain("/signin").add(factory.anon()).build());
>
> configuration.add(factory.createChain("/visibleFolder/**").add(factory.anon()).build());
>
> configuration.add(factory.createChain("/visiblePage1").add(factory.anon()).build());
>
> configuration.add(factory.createChain("/visiblePage2").add(factory.anon()).build());
>
> configuration.add(factory.createChain("/").add(factory.anon()).build());
>
> configuration.add(factory.createChain("/**").add(factory.notfound()).build());
>
> Please, be careful with this, eventlinks and forms in the visible
> pages may need their own rules.
>
> Finally, my preferred way to handle this is with a role. You could use
> something like @RequireRole("beta").
>
> Good luck with the launch.
> Alejandro.
>
>
>
> On Fri, Mar 29, 2013 at 2:54 PM, Thiago H de Paula Figueiredo
> <th...@gmail.com> wrote:
> > On Fri, 29 Mar 2013 09:05:04 -0300, Borut Bolčina <
> borut.bolcina@gmail.com>
> > wrote:
> >
> >> Hello,
> >
> >
> > Hi!
> >
> >
> >> What is the least obtrusive way to mark pages "hidden" in production
> mode
> >> or with some other configuration setting.
> >
> >
> > I'd try adding a RequestFilter and have some logic there to define
> whether
> > the request is for a hidden page. If yes, return a 404 error.
> >
> > --
> > Thiago H. de Paula Figueiredo
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> > For additional commands, e-mail: users-help@tapestry.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
Re: Configuring pages to be "invisible"
Posted by Alejandro Scandroli <al...@gmail.com>.
I'm glad you figured it out.
> (…)
>
> I have a form in the allowed page and it works as expected. What did you
> mean by additional rules for forms and eventlinks?
>
Take a look at the form and evenlinks URLs, they have dots and colons.
So if you have a very strict rule like
configuration.add(factory.createChain("/**").add(factory.user()).build());
or in your case
configuration.add(factory.createChain("/**").add(factory.notfound()).build());
And you then enable "per page" anon access, you need to pay special
attention to the forms and eventlinks URLs in that page.
real example:
configuration.add(factory.createChain("/signin/**").add(factory.anon()).build());
configuration.add(factory.createChain("/signin:*/**").add(factory.anon()).build());
// for event links
configuration.add(factory.createChain("/signin.*/**").add(factory.anon()).build());
// for forms
You can do something like:
configuration.add(factory.createChain("/signin*/**").add(factory.anon()).build());
But I personally like the former better.
In your case, since you are using "per folder" rules, you are safe!
> (..)
> Can you also give a hint about @RequireRole("beta")?
>
I often use the beta role as a "feature toggle". Check Martin Fowler's
article about it http://martinfowler.com/bliki/FeatureToggle.html
But in your current scenario it may not be that useful.
Cheers.
Alejandro.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Configuring pages to be "invisible"
Posted by Borut Bolčina <bo...@gmail.com>.
Hi Alejandro,
the above example works ok! I moron had forgotten to remove
contributeSecurityConfiguration in DevelopmentModule which was overriding
configuration in AppModule.
Those three lines are all I need.
I have a form in the allowed page and it works as expected. What did you
mean by additional rules for forms and eventlinks?
Can you also give a hint about @RequireRole("beta")?
Thanks for your time!
2013/4/2 Alejandro Scandroli <al...@gmail.com>
> Hi Borut
>
> For rulling out everything but one "public" folder this configuration
> should work.
>
>
> configuration.add(factory.createChain("/assets/**").add(factory.anon()).build());
>
> configuration.add(factory.createChain("/public/**").add(factory.anon()).build());
>
> configuration.add(factory.createChain("/**").add(factory.notfound()).build());
>
> I've added the assets folder to the configuration for obvious reasons.
> If that doesn't work for you let me know and we'll take a closer look
> to the complete configuration.
>
> I've tested this with tapestry-security 0.5.0 and 0.4.6, which version
> are you using?
>
> Alejandro.
>
>
>
>
>
>
>
>
> On Tue, Apr 2, 2013 at 8:19 AM, Borut Bolčina <bo...@gmail.com>
> wrote:
> > Alejandro,
> >
> > I have just tried this approach with factory chains, but the solution
> still
> > eludes me. I've tried "every" variation of creating the right chain for
> > ruling out the index page and all other subfolders - besides one folder.
> >
> > This configuration is the closest of what I think should do the job:
> >
> >
> configuration.add(factory.createChain("/index").add(factory.notfound()).build());
> >
> configuration.add(factory.createChain("/hidden1/**").add(factory.notfound()).build());
> >
> configuration.add(factory.createChain("/hidden2/**").add(factory.notfound()).build());
> >
> > but accessing http://localhost (or http://localhost/index) still renders
> > the index page and the hidden pages.
> >
> > If I remove the first line (with /index), then I get 404 as expected for
> > the hidden folders, but the index page is visible.
> >
> > I am running the app locally with Jetty
> > (jetty-maven-plugin:8.1.9.v20130131).
> >
> > -borut
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > 2013/3/29 Alejandro Scandroli <al...@gmail.com>
> >
> >> Hi Borut
> >>
> >> Using tapestry-security you have a couple of options.
> >>
> >> If you have all the protected/hidden pages in the same folder you
> >> could do something like this:
> >>
> >>
> >>
> configuration.add(factory.createChain("/yourfolder/**").add(factory.notfound()).build());
> >>
> >> If they are not in the same folder you can create one rule per folder
> >> or in the worst case one rule per page.
> >>
> >> The reversed logic would be, block access to the root "/" and then
> >> give anon access to your visible pages.
> >>
> >>
> >>
> configuration.add(factory.createChain("/assets/**").add(factory.anon()).build());
> >>
> >>
> configuration.add(factory.createChain("/signin").add(factory.anon()).build());
> >>
> >>
> configuration.add(factory.createChain("/visibleFolder/**").add(factory.anon()).build());
> >>
> >>
> configuration.add(factory.createChain("/visiblePage1").add(factory.anon()).build());
> >>
> >>
> configuration.add(factory.createChain("/visiblePage2").add(factory.anon()).build());
> >>
> >> configuration.add(factory.createChain("/").add(factory.anon()).build());
> >>
> >>
> configuration.add(factory.createChain("/**").add(factory.notfound()).build());
> >>
> >> Please, be careful with this, eventlinks and forms in the visible
> >> pages may need their own rules.
> >>
> >> Finally, my preferred way to handle this is with a role. You could use
> >> something like @RequireRole("beta").
> >>
> >> Good luck with the launch.
> >> Alejandro.
> >>
> >>
> >>
> >> On Fri, Mar 29, 2013 at 2:54 PM, Thiago H de Paula Figueiredo
> >> <th...@gmail.com> wrote:
> >> > On Fri, 29 Mar 2013 09:05:04 -0300, Borut Bolčina <
> >> borut.bolcina@gmail.com>
> >> > wrote:
> >> >
> >> >> Hello,
> >> >
> >> >
> >> > Hi!
> >> >
> >> >
> >> >> What is the least obtrusive way to mark pages "hidden" in production
> >> mode
> >> >> or with some other configuration setting.
> >> >
> >> >
> >> > I'd try adding a RequestFilter and have some logic there to define
> >> whether
> >> > the request is for a hidden page. If yes, return a 404 error.
> >> >
> >> > --
> >> > Thiago H. de Paula Figueiredo
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> >> > For additional commands, e-mail: users-help@tapestry.apache.org
> >> >
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> >> For additional commands, e-mail: users-help@tapestry.apache.org
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
Re: Configuring pages to be "invisible"
Posted by Alejandro Scandroli <al...@gmail.com>.
Hi Borut
For rulling out everything but one "public" folder this configuration
should work.
configuration.add(factory.createChain("/assets/**").add(factory.anon()).build());
configuration.add(factory.createChain("/public/**").add(factory.anon()).build());
configuration.add(factory.createChain("/**").add(factory.notfound()).build());
I've added the assets folder to the configuration for obvious reasons.
If that doesn't work for you let me know and we'll take a closer look
to the complete configuration.
I've tested this with tapestry-security 0.5.0 and 0.4.6, which version
are you using?
Alejandro.
On Tue, Apr 2, 2013 at 8:19 AM, Borut Bolčina <bo...@gmail.com> wrote:
> Alejandro,
>
> I have just tried this approach with factory chains, but the solution still
> eludes me. I've tried "every" variation of creating the right chain for
> ruling out the index page and all other subfolders - besides one folder.
>
> This configuration is the closest of what I think should do the job:
>
> configuration.add(factory.createChain("/index").add(factory.notfound()).build());
> configuration.add(factory.createChain("/hidden1/**").add(factory.notfound()).build());
> configuration.add(factory.createChain("/hidden2/**").add(factory.notfound()).build());
>
> but accessing http://localhost (or http://localhost/index) still renders
> the index page and the hidden pages.
>
> If I remove the first line (with /index), then I get 404 as expected for
> the hidden folders, but the index page is visible.
>
> I am running the app locally with Jetty
> (jetty-maven-plugin:8.1.9.v20130131).
>
> -borut
>
>
>
>
>
>
>
>
>
>
> 2013/3/29 Alejandro Scandroli <al...@gmail.com>
>
>> Hi Borut
>>
>> Using tapestry-security you have a couple of options.
>>
>> If you have all the protected/hidden pages in the same folder you
>> could do something like this:
>>
>>
>> configuration.add(factory.createChain("/yourfolder/**").add(factory.notfound()).build());
>>
>> If they are not in the same folder you can create one rule per folder
>> or in the worst case one rule per page.
>>
>> The reversed logic would be, block access to the root "/" and then
>> give anon access to your visible pages.
>>
>>
>> configuration.add(factory.createChain("/assets/**").add(factory.anon()).build());
>>
>> configuration.add(factory.createChain("/signin").add(factory.anon()).build());
>>
>> configuration.add(factory.createChain("/visibleFolder/**").add(factory.anon()).build());
>>
>> configuration.add(factory.createChain("/visiblePage1").add(factory.anon()).build());
>>
>> configuration.add(factory.createChain("/visiblePage2").add(factory.anon()).build());
>>
>> configuration.add(factory.createChain("/").add(factory.anon()).build());
>>
>> configuration.add(factory.createChain("/**").add(factory.notfound()).build());
>>
>> Please, be careful with this, eventlinks and forms in the visible
>> pages may need their own rules.
>>
>> Finally, my preferred way to handle this is with a role. You could use
>> something like @RequireRole("beta").
>>
>> Good luck with the launch.
>> Alejandro.
>>
>>
>>
>> On Fri, Mar 29, 2013 at 2:54 PM, Thiago H de Paula Figueiredo
>> <th...@gmail.com> wrote:
>> > On Fri, 29 Mar 2013 09:05:04 -0300, Borut Bolčina <
>> borut.bolcina@gmail.com>
>> > wrote:
>> >
>> >> Hello,
>> >
>> >
>> > Hi!
>> >
>> >
>> >> What is the least obtrusive way to mark pages "hidden" in production
>> mode
>> >> or with some other configuration setting.
>> >
>> >
>> > I'd try adding a RequestFilter and have some logic there to define
>> whether
>> > the request is for a hidden page. If yes, return a 404 error.
>> >
>> > --
>> > Thiago H. de Paula Figueiredo
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> > For additional commands, e-mail: users-help@tapestry.apache.org
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: users-help@tapestry.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org