Author: buildbot
Date: Sat Jan 25 14:20:51 2014
New Revision: 895391

Log:
Production update by buildbot for tapestry

Modified:
    websites/production/tapestry/content/cache/main.pageCache
    websites/production/tapestry/content/security.html

Modified: websites/production/tapestry/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/tapestry/content/security.html
==============================================================================
--- websites/production/tapestry/content/security.html (original)
+++ websites/production/tapestry/content/security.html Sat Jan 25 14:20:51 2014
@@ -108,7 +108,7 @@
                 
                             </div>
         </li></ul>
-</div><h2 id="Security-HTTPS-onlyPages">HTTPS-only Pages</h2><p>Main Article: 
<a shape="rect" href="https.html">HTTPS</a></p><p>Tapestry provides several 
annotations and configuration settings that you can use to&#160;<span 
style="text-align: justify;line-height: 1.4285715;">ensure that all access to 
certain pages (or all pages) occurs only via the encrypted HTTPS 
protocol</span><span style="text-align: justify;line-height: 1.4285715;">. 
See&#160;<a shape="rect" href="https.html">HTTPS</a> for details.</span></p><h2 
id="Security-ControllingPageAccess"><span style="text-align: 
justify;line-height: 1.4285715;">Controlling Page Access</span></h2><p><span 
style="text-align: justify;line-height: 1.4285715;">&#160;</span></p><div 
class="navmenu" style="float:right; background:#eee; margin:3px; padding:0 1em">
+</div><h2 id="Security-HTTPS-onlyPages">HTTPS-only Pages</h2><p>Main Article: 
<a shape="rect" href="https.html">HTTPS</a></p><p>Tapestry provides several 
annotations and configuration settings that you can use to&#160;<span 
style="text-align: justify;line-height: 1.4285715;">ensure that all access to 
certain pages (or all pages) occurs only via the encrypted HTTPS 
protocol</span><span style="text-align: justify;line-height: 1.4285715;">. 
See&#160;<a shape="rect" href="https.html">HTTPS</a> for details.</span></p><h2 
id="Security-ControllingPageAccess"><span style="text-align: 
justify;line-height: 1.4285715;">Controlling Page Access</span></h2><div 
class="navmenu" style="float:right; background:#eee; margin:3px; padding:0 1em">
 <p>    <strong>JumpStart Demo:</strong><br clear="none">
     <a shape="rect" class="external-link" 
href="http://jumpstart.doublenegative.com.au/jumpstart/examples/infrastructure/protectingpages";
 >Protecting Pages</a></p></div><p><span style="text-align: 
justify;line-height: 1.4285715;">For simple access control needs, you can 
contribute a&#160;<span><a shape="rect" class="external-link" 
href="http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/services/ComponentRequestFilter.html";>ComponentRequestFilter</a>
 with your custom logic that decides which pages should be accessed by which 
users.</span></span></p><p><span style="line-height: 1.4285715;text-align: 
justify;">For more advanced needs see the Security Framework Integration 
section below.</span></p><h2 id="Security-White-listedPages">White-listed 
Pages</h2><p>Pages whose component classes are annotated with&#160;@<a 
shape="rect" class="external-link" 
href="http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/annotations/WhitelistAccessOnly.html";>WhitelistAccessOn
 ly</a>&#160;will only be displayed to users (clients) that are on 
the&#160;<em>whitelist</em>. By default the whitelist consists only of clients 
whose fully-qualified domain name is "localhost" (or the IP address equivalent, 
127.0.0.1 or 0:0:0:0:0:0:0:1),&#160;but you can customize this by contributing 
to the ClientWhitelist service&#160;in your application's module class (usually 
AppModule.java):</p><div class="code panel pdl" style="border-width: 1px;"><div 
class="codeHeader panelHeader pdl" style="border-bottom-width: 
1px;"><b>AppModule.java (partial) &#8211; simple inline example</b></div><div 
class="codeContent panelContent pdl">
 <script class="theme: Default; brush: java; gutter: false" 
type="syntaxhighlighter"><![CDATA[    @Contribute(ClientWhitelist.class)
@@ -125,7 +125,7 @@
     }]]></script>
 </div></div><p>&#160;</p><p>Sometimes, in production, a firewall or proxy may 
make it look like the client web browser originates from localhost, with the 
consequence that whitelisted pages may be visible to all users. See the&#160;<a 
shape="rect" href="security.html">Security FAQ</a> for how to deal with 
this.</p><h2 id="Security-AssetSecurity">Asset Security</h2><p>Main 
Article:&#160;<a shape="rect" href="assets.html">Assets</a></p><p>Tapestry 
serves assets (static content such as CSS files, images, and JavaScript, many 
of which are on the classpath alongside your compiled class files) to the 
client.&#160;Because of this, great care has gone into ensuring that certain 
file types cannot be served to the client. By default, file ending with 
".class', ".tml" and ".properties" can be served to the client only if the 
request includes the file's MD5 checksum. As you would expect, that blacklist 
can be extended. See&#160;<a shape="rect" href="assets.html">Asset Security</a> 
for more info
 rmation.</p><h2 
id="Security-ProtectingSerializedObjectDataontheClient">Protecting Serialized 
Object Data on the Client</h2><p><span style="color: rgb(0,0,0);">As of version 
5.3.6, Tapestry integrates a&#160;</span><a shape="rect" class="external-link" 
href="http://en.wikipedia.org/wiki/HMAC"; style="text-decoration: 
underline;text-align: justify;" >hash-based message authentication 
code</a><span style="color: rgb(0,0,0);">&#160;(HMAC) into serialized Java 
object data that it sends to the client (generally, this means 
the&#160;</span><code style="text-align: justify;">t:formdata</code><span 
style="color: rgb(0,0,0);">&#160;hidden field used by the Form component). This 
ensures that the hidden binary object data is guaranteed to be unaltered when 
it returns to the server upon form (or AJAX) submission. The HMAC pass phrase 
is set using the&#160;<a shape="rect" 
href="configuration.html">tapestry.hmac-passphrase</a> configuration symbol. If 
you don't set that value, you'll see a warning
  message in the browser, like this:&#160;</span></p><div class="preformatted 
panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
 <pre>The symbol 'tapestry.hmac-passphrase' has not been configured. This is 
used to configure hash-based message authentication of Tapestry data stored in 
forms, or in the URL. You application is less secure, and more vulnerable to 
denial-of-service attacks, when this symbol is not configured.</pre>
-</div></div><p><span style="color: rgb(0,0,0);">The solution is to set the 
tapestry.hmac-passphrase to some value (any fixed, private string, such as 30 
to 40 random-looking characters, will do) in your application's module class 
(usually AppModule.java).</span></p><h2 
id="Security-CrossSiteRequestForgery(CSRF)"><span style="color: 
rgb(83,145,38);font-size: 20.0px;line-height: 1.5;">Cross Site Request Forgery 
(CSRF)</span></h2><p>Cross Site Request Forgery is a type of security 
vulnerability in which legitimate, authorized users may be made to unwittingly 
submit malicious requests to your web application.</p><p><a shape="rect" 
class="external-link" 
href="https://github.com/porscheinformatik/tapestry-csrf-protection"; 
>Tapestry-csrf-protection</a>&#160;is a 3rd party module that has several 
features for preventing CSRF attacks. It protects all&#160;<span>component 
event handlers (event links, forms, etc.) by adding a&#160;</span><span>CSRF 
token to event links and adds a CSRF token as
  a hidden field to all forms.&#160;</span><span>Tokens are generated on a 
per-session basis.</span></p><h2 
id="Security-SecurityFrameworkIntegration"><span style="line-height: 
1.5;">Security Framework Integration</span></h2><p>Tapestry does not come with 
a built-in authentication/authorization mechanism, to avoid lock-in to a 
specific implementation. There are various Java security frameworks available, 
but the main two Java-based open source security frameworks are Apache Shiro 
(earlier JSecurity) and Spring Security (earlier Acegi Security). Spring 
Security is the more popular of the two (because of Spring's popularity), 
whereas Shiro is widely regarded as the more flexible choice. There are 
well-maintained Tapestry integration projects for both of these 
frameworks,&#160;<strong><a shape="rect" class="external-link" 
href="http://tynamo.org/tapestry-security+guide"; 
>tapestry-security</a></strong>&#160;for Apache Shiro (from Tynamo.org) 
and&#160;<strong><a shape="rect" class="extern
 al-link" href="http://www.localhost.nu/java/tapestry-spring-security"; 
>tapestry-spring-security</a></strong>&#160;for Spring Security.</p><p>For 
tapestry-security (Shiro-based)</p><ul><li><a shape="rect" 
class="external-link" href="http://tynamo.org/tynamo-federatedaccounts+guide"; 
>Tynamo-federatedaccounts</a> Facebook etc. 3rd party authentication provider 
integrations, building on Tapestry-security</li></ul><p>For 
tapestry-spring-security</p><ul><li><a shape="rect" class="external-link" 
href="http://www.localhost.nu/java/tapestry-spring-security/conf.html"; 
>http://www.localhost.nu/java/tapestry-spring-security/conf.html</a></li></ul><p>To
 include OpenID with Spring Security in your application, see the following 
Wiki entry:</p><ul><li><a shape="rect" class="external-link" 
href="http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId";>http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId</a></li></ul></div>
+</div></div><p><span style="color: rgb(0,0,0);">The solution is to set the 
tapestry.hmac-passphrase to some value (any fixed, private string, such as 30 
to 40 random-looking characters, will do) in your application's module class 
(usually AppModule.java).</span></p><h2 
id="Security-CrossSiteRequestForgery(CSRF)"><span style="color: 
rgb(83,145,38);font-size: 20.0px;line-height: 1.5;">Cross Site Request Forgery 
(CSRF)</span></h2><p>Cross Site Request Forgery is a type of security 
vulnerability in which legitimate, authorized users may be made to unwittingly 
submit malicious requests to your web application.</p><p><a shape="rect" 
class="external-link" 
href="https://github.com/porscheinformatik/tapestry-csrf-protection"; 
>Tapestry-csrf-protection</a>&#160;is a 3rd party module that has several 
features for preventing CSRF attacks. It protects all&#160;<span>component 
event handlers (event links, forms, etc.) by adding a&#160;</span><span>CSRF 
token to event links and adds a CSRF token as
  a hidden field to all forms.&#160;</span><span>Tokens are generated on a 
per-session basis.</span></p><h2 
id="Security-SecurityFrameworkIntegration"><span style="line-height: 
1.5;">Security Framework Integration</span></h2><p>Tapestry does not lock you 
into a specific authentication/authorization implementation. Instead, there are 
integration modules available for the more popular open source Java security 
frameworks, namely Apache Shiro (formerly JSecurity) and Spring Security 
(formerly Acegi Security). Spring Security is the more popular of the two 
(because of Spring's popularity), whereas Shiro is widely regarded as the more 
flexible choice.</p><ul><li>The&#160;<strong><a shape="rect" 
class="external-link" href="http://tynamo.org/tapestry-security+guide"; 
>tapestry-security</a></strong>&#160;module &#160;(from Tynamo.org)&#160;uses 
Apache Shiro</li><li>The&#160;<a shape="rect" class="external-link" 
href="http://www.localhost.nu/java/tapestry-spring-security"; 
style="font-weight: b
 old;" >tapestry-spring-security</a>&#160;module uses Spring 
Security.</li></ul><p>Additional information:</p><ul><li><a shape="rect" 
class="external-link" href="http://tynamo.org/tynamo-federatedaccounts+guide"; 
>Tynamo-federatedaccounts</a>&#160;<span style="color: rgb(0,0,0);">is an 
add-on to the&#160;</span><a shape="rect" class="external-link" 
href="http://tynamo.org/tapestry-security+guide"; >tapestry-security</a><span 
style="color: rgb(0,0,0);">&#160;module, providing federated (third-party) 
authentication with Facebook, Twitter or Google.</span></li></ul><ul><li><span 
style="line-height: 1.4285715;">To include OpenID with Spring Security in your 
application, see the following Wiki entry:&#160;</span><a shape="rect" 
class="external-link" 
href="http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId"; 
style="line-height: 
1.4285715;">http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId</a></li></ul><p>&#160;</p></div>
 </div>
 
 <div class="clearer"></div>


Reply via email to