Author: buildbot
Date: Tue Jan 21 21:20:49 2014
New Revision: 895014
Log:
Production update by buildbot for tapestry
Modified:
websites/production/tapestry/content/cache/main.pageCache
websites/production/tapestry/content/security.html
Modified: websites/production/tapestry/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/tapestry/content/security.html
==============================================================================
--- websites/production/tapestry/content/security.html (original)
+++ websites/production/tapestry/content/security.html Tue Jan 21 21:20:49 2014
@@ -25,6 +25,14 @@
</title>
<link type="text/css" rel="stylesheet" href="/resources/space.css">
+ <link
href='http://cxf.apache.org/resources/highlighter/styles/shCoreCXF.css'
rel='stylesheet' type='text/css' />
+ <link
href='http://cxf.apache.org/resources/highlighter/styles/shThemeCXF.css'
rel='stylesheet' type='text/css' />
+ <script src='http://cxf.apache.org/resources/highlighter/scripts/shCore.js'
type='text/javascript'></script>
+ <script
src='http://cxf.apache.org/resources/highlighter/scripts/shBrushJava.js'
type='text/javascript'></script>
+ <script type="text/javascript">
+ SyntaxHighlighter.defaults['toolbar'] = false;
+ SyntaxHighlighter.all();
+ </script>
<link href="/styles/style.css" rel="stylesheet" type="text/css"/>
@@ -61,7 +69,7 @@
</div>
<div id="content">
-<div id="ConfluenceContent"><p>Tapestry does not come with a built-in security
implementation to avoid lock-in to a specific security framework. There are
various Java security frameworks available, but the main two Java-based open
source security frameworks are Apache Shiro (earlier JSecurity) and Spring
Security (earlier Acegi Security). Spring Security is the more popular of the
two (because of Spring's popularity), whereas Shiro is widely regarded as the
more flexible choice. There are well-maintained Tapestry integration projects
for both of these frameworks, <strong><a shape="rect" class="external-link"
href="http://tynamo.org/tapestry-security+guide";
>tapestry-security</a></strong> for Apache Shiro (from Tynamo.org) and
<strong><a shape="rect" class="external-link"
href="http://www.localhost.nu/java/tapestry-spring-security";
>tapestry-spring-security</a></strong> for Spring Security.</p><div
class="navmenu" style="float:right; background:#eee; margin:3px; padding:3px">
+<div id="ConfluenceContent"><p>Tapestry has a number of security features
designed to harden your application against unwanted intrusion and denial of
service.</p><div class="navmenu" style="float:right; background:#eee;
margin:3px; padding:3px">
<h3>Related Articles</h3>
<ul class="content-by-label"><li>
<div>
@@ -77,7 +85,7 @@
<span class="icon icon-page" title="Page">Page:</span>
</div>
<div class="details">
- <a shape="rect" href="https.html">HTTPS</a>
+ <a shape="rect"
href="integrating-with-spring-framework.html">Integrating with Spring
Framework</a>
</div>
@@ -86,12 +94,38 @@
<span class="icon icon-page" title="Page">Page:</span>
</div>
<div class="details">
- <a shape="rect"
href="integrating-with-spring-framework.html">Integrating with Spring
Framework</a>
+ <a shape="rect" href="security-faq.html">Security
FAQ</a>
+
+
+ </div>
+ </li><li>
+ <div>
+ <span class="icon icon-page" title="Page">Page:</span>
</div>
+
+ <div class="details">
+ <a shape="rect" href="https.html">HTTPS</a>
</div>
</li></ul>
-</div><p>For tapestry-security (Shiro-based)</p><ul><li><a shape="rect"
class="external-link" href="http://tynamo.org/tynamo-federatedaccounts+guide";
>Tynamo-federatedaccounts</a> Facebook etc. 3rd party authentication provider
integrations, building on Tapestry-security</li></ul><p>For
tapestry-spring-security</p><ul><li><a shape="rect" class="external-link"
href="http://www.localhost.nu/java/tapestry-spring-security/conf.html";
>http://www.localhost.nu/java/tapestry-spring-security/conf.html</a></li></ul><p>To
include OpenID with Spring Security in your application, see the following
Wiki entry:</p><ul><li><a shape="rect" class="external-link"
href="http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId";>http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId</a></li></ul></div>
+</div><h2 id="Security-HTTPS-onlyPages">HTTPS-only Pages</h2><p>Main Article:
<a shape="rect" href="https.html">HTTPS</a></p><p>Tapestry provides several
annotations and configuration settings that you can use to <span
style="text-align: justify;line-height: 1.4285715;">ensure that all access to
certain pages–or all pages–occurs only via the encrypted HTTPS
protocol</span><span style="text-align: justify;line-height: 1.4285715;">.
See <a shape="rect" href="https.html">HTTPS</a> for details.</span></p><h2
id="Security-ControllingPageAccess"><span style="text-align:
justify;line-height: 1.4285715;">Controlling Page Access</span></h2><p><span
style="text-align: justify;line-height: 1.4285715;"> </span></p><div
class="navmenu" style="float:right; background:#eee; margin:3px; padding:0 1em">
+<p> <strong>JumpStart Demo:</strong><br clear="none">
+ <a shape="rect" class="external-link"
href="http://jumpstart.doublenegative.com.au/jumpstart/examples/infrastructure/protectingpages";
>Protecting Pages</a></p></div><p><span style="text-align:
justify;line-height: 1.4285715;">For simple access control needs, you can
contribute a <span><a shape="rect" class="external-link"
href="http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/services/ComponentRequestFilter.html";>ComponentRequestFilter</a>
with your custom logic that decides which pages should be accessed by which
users.</span></span></p><p><span style="line-height: 1.4285715;text-align:
justify;">For more advanced needs see the Security Framework Integration
section below.</span></p><h2 id="Security-White-listedPages">White-listed
Pages</h2><p>Pages whose component classes are annotated with @<a
shape="rect" class="external-link"
href="http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/annotations/WhitelistAccessOnly.html";>WhitelistAccessOn
ly</a> will only be displayed to users (clients) that are on
the <em>whitelist</em>. By default the whitelist consists only of clients
whose fully-qualified domain name is "localhost" (or the IP address equivalent,
127.0.0.1 or 0:0:0:0:0:0:0:1), but you can customize this by contributing
to the ClientWhitelist service in your application's module class (usually
AppModule.java):</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>AppModule.java (partial) – simple inline example</b></div><div
class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false"
type="syntaxhighlighter"><![CDATA[ @Contribute(ClientWhitelist.class)
+ public static void
provideWhitelistAnalyzer(OrderedConfiguration<WhitelistAnalyzer>
configuration)
+ {
+ configuration.add("FooAnalyzer", new WhitelistAnalyzer()
+ {
+ public boolean isRequestOnWhitelist(Request request)
+ {
+ // add your custom logic here and return true or false
+ return true;
+ }
+ }, "before:*");
+ }]]></script>
+</div></div><p> </p><p>Sometimes, in production, a firewall or proxy may
make it look like the client web browser originates from localhost, with the
consequence that whitelisted pages may be visible to all users. See the <a
shape="rect" href="security.html">Security FAQ</a> for how to deal with
this.</p><h2 id="Security-AssetSecurity">Asset Security</h2><p>Main
Article: <a shape="rect" href="assets.html">Assets</a></p><p>Tapestry
serves assets (static content such as CSS files, images, and JavaScript, many
of which are on the classpath alongside your compiled class files) to the
client. Because of this, great care has gone into ensuring that certain
file types cannot be served to the client. By default, file ending with
".class', ".tml" and ".properties" can be served to the client only if the
request includes the file's MD5 checksum. As you would expect, that blacklist
can be extended. See <a shape="rect" href="assets.html">Asset Security</a>
for more info
rmation.</p><h2
id="Security-ProtectingSerializedObjectDataontheClient">Protecting Serialized
Object Data on the Client</h2><p><span style="color: rgb(0,0,0);">As of version
5.3.6, Tapestry integrates a </span><a shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/HMAC"; style="text-decoration:
underline;text-align: justify;" >hash-based message authentication
code</a><span style="color: rgb(0,0,0);"> (HMAC) into serialized Java
object data that it sends to the client (generally, this means
the </span><code style="text-align: justify;">t:formdata</code><span
style="color: rgb(0,0,0);"> hidden field used by the Form component). This
ensures that the hidden binary object data is guaranteed to be unaltered when
it returns to the server upon form (or AJAX) submission. The HMAC pass phrase
is set using the <a shape="rect"
href="configuration.html">tapestry.hmac-passphrase</a> configuration symbol. If
you don't set that value, you'll see a warning
message in the browser, like this: </span></p><div class="preformatted
panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
+<pre>The symbol 'tapestry.hmac-passphrase' has not been configured. This is
used to configure hash-based message authentication of Tapestry data stored in
forms, or in the URL. You application is less secure, and more vulnerable to
denial-of-service attacks, when this symbol is not configured.</pre>
+</div></div><p><span style="color: rgb(0,0,0);">The solution is to set the
tapestry.hmac-passphrase to some value (any fixed, private string, such as 30
to 40 random-looking characters, will do) in your application's module class
(usually AppModule.java).</span></p><h2
id="Security-CrossSiteRequestForgery(CSRF)"><span style="color:
rgb(83,145,38);font-size: 20.0px;line-height: 1.5;">Cross Site Request Forgery
(CSRF)</span></h2><p>Cross Site Request Forgery is a type of security
vulnerability in which legitimate, authorized users may be made to unwittingly
submit malicious requests to your web application.</p><p><a shape="rect"
class="external-link"
href="https://github.com/porscheinformatik/tapestry-csrf-protection";
>Tapestry-csrf-protection</a> is a 3rd party module that has several
features for preventing CSRF attacks. It protects all <span>component
event handlers (event links, forms, etc.) by adding a </span><span>CSRF
token to event links and adds a CSRF token as
a hidden field to all forms. </span><span>Tokens are generated on a
per-session basis.</span></p><h2
id="Security-SecurityFrameworkIntegration"><span style="line-height:
1.5;">Security Framework Integration</span></h2><p>Tapestry does not come with
a built-in authentication/authorization mechanism, to avoid lock-in to a
specific implementation. There are various Java security frameworks available,
but the main two Java-based open source security frameworks are Apache Shiro
(earlier JSecurity) and Spring Security (earlier Acegi Security). Spring
Security is the more popular of the two (because of Spring's popularity),
whereas Shiro is widely regarded as the more flexible choice. There are
well-maintained Tapestry integration projects for both of these
frameworks, <strong><a shape="rect" class="external-link"
href="http://tynamo.org/tapestry-security+guide";
>tapestry-security</a></strong> for Apache Shiro (from Tynamo.org)
and <strong><a shape="rect" class="extern
al-link" href="http://www.localhost.nu/java/tapestry-spring-security";
>tapestry-spring-security</a></strong> for Spring Security.</p><p>For
tapestry-security (Shiro-based)</p><ul><li><a shape="rect"
class="external-link" href="http://tynamo.org/tynamo-federatedaccounts+guide";
>Tynamo-federatedaccounts</a> Facebook etc. 3rd party authentication provider
integrations, building on Tapestry-security</li></ul><p>For
tapestry-spring-security</p><ul><li><a shape="rect" class="external-link"
href="http://www.localhost.nu/java/tapestry-spring-security/conf.html";
>http://www.localhost.nu/java/tapestry-spring-security/conf.html</a></li></ul><p>To
include OpenID with Spring Security in your application, see the following
Wiki entry:</p><ul><li><a shape="rect" class="external-link"
href="http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId";>http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId</a></li></ul></div>
</div>
<div class="clearer"></div>
