[jira] Created: (TAP5-922) Allow null in LinkImpl.addParameter
Allow null in LinkImpl.addParameter --- Key: TAP5-922 URL: https://issues.apache.org/jira/browse/TAP5-922 Project: Tapestry 5 Issue Type: Bug Components: tapestry-core Affects Versions: 5.1.0.5 Reporter: Angelo Chen Priority: Minor I have a query string that I need to append to a Link object, the query string is: ?gender=M&country= Link lnk = renderLinkSource.createPageRenderLink("SamplePage"); lnk.addParameter("gender", "M"); // this works lnk.addParameter("country", null); above line failed with : RequestExceptionHandler Unexpected runtime exception: Parameter value was null or contained only whitespace. A null parameter should be valid in a URL, sometimes it is needed to have Google Analytics pick up the complete URL even it is null. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file inside the webapp visible and downloadable
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12775085#action_12775085 ] Robert Zeigler commented on TAP5-815: - Hey Chris, I just committed the AssetProtectionDispatcher stuff (to 5.0 and 5.1 branches and to trunk). That should solve your issue, but if you want to double check that, it would be great. Leaving this issue open for the time being to give people a chance to review. I'll close it tonight or tomorrow if I don't hear anything more. > Asset dispatcher allows any file inside the webapp visible and downloadable > --- > > Key: TAP5-815 > URL: https://issues.apache.org/jira/browse/TAP5-815 > Project: Tapestry 5 > Issue Type: Bug >Affects Versions: 5.1.0.5 >Reporter: Thiago H. de Paula Figueiredo >Assignee: Robert Zeigler >Priority: Blocker > > Take any asset and you have an URL like > domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request > domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files > inside the webapp root is shown. It gives you the hint at downloading any > file you want, including anyting inside WEB-INF and assets that should be > protected by ResourceDigestGenerator. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
svn commit: r834180 - in /tapestry/tapestry5/branches/5.0: src/site/apt/guide/ tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ tapestry-core/src/main/java/org/apache/tapestry5/serv
Author: robertdzeigler Date: Mon Nov 9 19:28:32 2009 New Revision: 834180 URL: http://svn.apache.org/viewvc?rev=834180&view=rev Log: TAP5-815: Asset dispatcher allows any file inside the webapp visible and downloadable (5.0 branch) Added: tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java Modified: tapestry/tapestry5/branches/5.0/src/site/apt/guide/assets.apt tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java Modified: tapestry/tapestry5/branches/5.0/src/site/apt/guide/assets.apt URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/src/site/apt/guide/assets.apt?rev=834180&r1=834179&r2=834180&view=diff == --- tapestry/tapestry5/branches/5.0/src/site/apt/guide/assets.apt (original) +++ tapestry/tapestry5/branches/5.0/src/site/apt/guide/assets.apt Mon Nov 9 19:28:32 2009 @@ -98,4 +98,28 @@ Care should be taken to not create overlapping mappings, as the results would not be predictable. - \ No newline at end of file +Securing Assets + + Securing assets is an important consideration for any web application. Many assets, such as hibernate configuration + files, sit in the classpath and are exposable via the Asset service, which is not desirable. To protect these and + other sensitive assets, Tapestry provides the AssetProtectionDispatcher. This dispatcher sits in front of the + AssetDispatcher, the service responsible for streaming assets to the client, and watches for Asset requests. + When an asset request comes in, the protection dispatcher checks for authorization to view the file against a + contributed list of AssetPathAuthorizer implementations. Determination of whether the client can view the requested + resource is then made based on whether any of the contributed AssetPathAuthorizer implementations explicitly allowed + or denied access to the resource. + + Tapestry provides two AssetPathAuthorizer implemenations "out of the box" to which users may contribute: RegexAuthorizer + and WhitelistAuthorizer. RegexAuthorizer uses regular expressions to determine assets which are viewable by the + client; any assets that match one of its (contributed) regular expressions are authorized. Anything not matched is + passed through to the WhitelistAuthorizer. WhitelistAuthorizer uses an exact-matching whitelist. Anything matching + exactly one its contributions is allowed; all other asset requests are denied. The default tapestry configuration + contributes nothing to WhitelistAuthorizer (access will be denied to all asset requests passed through to it), and + explicitly allows access to css, jpg, jpeg, js, png, and gif files associated with tapestry (tapestry.js, blackbird + files, date picker files, etc.). The default contribution also enables access to the css, jpg, jpeg, js, png, and gif + files provided by the popular chenille-kit 3rd party library. The default configuration denies access to all other + assets. To enable access to your application's assets, either contribute a custom AssetPathAnalyzer, or contribute + appropriate regular expression or exact path contributions to RegexAuthorizer or WhitelistAuthorizer, respectively. + See TapestryModule.contribteRegexAuthorizer for examples. + + Added: tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java?rev=834180&view=auto == --- tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java (added) +++ tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/interna
svn commit: r834167 - in /tapestry/tapestry5/branches/5.1.0.x-dev: src/site/apt/guide/ tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ tapestry-core/src/main/java/org/apache/tapest
Author: robertdzeigler Date: Mon Nov 9 18:26:48 2009 New Revision: 834167 URL: http://svn.apache.org/viewvc?rev=834167&view=rev Log: TAP5-815: Asset dispatcher allows any file inside the webapp visible and downloadable (5.1 branch) Added: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java Modified: tapestry/tapestry5/branches/5.1.0.x-dev/src/site/apt/guide/assets.apt tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java Modified: tapestry/tapestry5/branches/5.1.0.x-dev/src/site/apt/guide/assets.apt URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/src/site/apt/guide/assets.apt?rev=834167&r1=834166&r2=834167&view=diff == --- tapestry/tapestry5/branches/5.1.0.x-dev/src/site/apt/guide/assets.apt (original) +++ tapestry/tapestry5/branches/5.1.0.x-dev/src/site/apt/guide/assets.apt Mon Nov 9 18:26:48 2009 @@ -138,6 +138,31 @@ In addition, context assets will use the URL prefix <<>><<>>. +Securing Assets + + Securing assets is an important consideration for any web application. Many assets, such as hibernate configuration + files, sit in the classpath and are exposable via the Asset service, which is not desirable. To protect these and + other sensitive assets, Tapestry provides the AssetProtectionDispatcher. This dispatcher sits in front of the + AssetDispatcher, the service responsible for streaming assets to the client, and watches for Asset requests. + When an asset request comes in, the protection dispatcher checks for authorization to view the file against a + contributed list of AssetPathAuthorizer implementations. Determination of whether the client can view the requested + resource is then made based on whether any of the contributed AssetPathAuthorizer implementations explicitly allowed + or denied access to the resource. + + Tapestry provides two AssetPathAuthorizer implemenations "out of the box" to which users may contribute: RegexAuthorizer + and WhitelistAuthorizer. RegexAuthorizer uses regular expressions to determine assets which are viewable by the + client; any assets that match one of its (contributed) regular expressions are authorized. Anything not matched is + passed through to the WhitelistAuthorizer. WhitelistAuthorizer uses an exact-matching whitelist. Anything matching + exactly one its contributions is allowed; all other asset requests are denied. The default tapestry configuration + contributes nothing to WhitelistAuthorizer (access will be denied to all asset requests passed through to it), and + explicitly allows access to css, jpg, jpeg, js, png, and gif files associated with tapestry (tapestry.js, blackbird + files, date picker files, etc.). The default contribution also enables access to the css, jpg, jpeg, js, png, and gif + files provided by the popular chenille-kit 3rd party library. The default configuration denies access to all other + assets. To enable access to your application's assets, either contribute a custom AssetPathAnalyzer, or contribute + appropriate regular expression or exact path contributions to RegexAuthorizer or WhitelistAuthorizer, respectively. + See TapestryModule.contribteRegexAuthorizer for examples. + + Performance Notes Assets are expected to be entirely static (not changing while the application is deployed). When Tapestry generates a URL @@ -146,4 +171,4 @@ asset. In addition, Tapestry will {{{compress.html}GZIP compress}} the content of assets (if the asset - is compressable, and the client supports it). \ No newline at end of file + is compressable, and the client supports it). Added: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java URL: http://svn.apache.org/viewvc/tapestry
svn commit: r834151 - in /tapestry/tapestry5/trunk: src/site/apt/guide/ tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ tapestry-core/src/main/java/org/apache/tapestry5/services/ t
Author: robertdzeigler Date: Mon Nov 9 17:23:10 2009 New Revision: 834151 URL: http://svn.apache.org/viewvc?rev=834151&view=rev Log: TAP5-815: Asset dispatcher allows any file inside the webapp visible and downloadable (5.2 branch) Added: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java Modified: tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java Modified: tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt?rev=834151&r1=834150&r2=834151&view=diff == --- tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt (original) +++ tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt Mon Nov 9 17:23:10 2009 @@ -138,6 +138,31 @@ In addition, context assets will use the URL prefix <<>><<>>. +Securing Assets + + Securing assets is an important consideration for any web application. Many assets, such as hibernate configuration + files, sit in the classpath and are exposable via the Asset service, which is not desirable. To protect these and + other sensitive assets, Tapestry provides the AssetProtectionDispatcher. This dispatcher sits in front of the + AssetDispatcher, the service responsible for streaming assets to the client, and watches for Asset requests. + When an asset request comes in, the protection dispatcher checks for authorization to view the file against a + contributed list of AssetPathAuthorizer implementations. Determination of whether the client can view the requested + resource is then made based on whether any of the contributed AssetPathAuthorizer implementations explicitly allowed + or denied access to the resource. + + Tapestry provides two AssetPathAuthorizer implemenations "out of the box" to which users may contribute: RegexAuthorizer + and WhitelistAuthorizer. RegexAuthorizer uses regular expressions to determine assets which are viewable by the + client; any assets that match one of its (contributed) regular expressions are authorized. Anything not matched is + passed through to the WhitelistAuthorizer. WhitelistAuthorizer uses an exact-matching whitelist. Anything matching + exactly one its contributions is allowed; all other asset requests are denied. The default tapestry configuration + contributes nothing to WhitelistAuthorizer (access will be denied to all asset requests passed through to it), and + explicitly allows access to css, jpg, jpeg, js, png, and gif files associated with tapestry (tapestry.js, blackbird + files, date picker files, etc.). The default contribution also enables access to the css, jpg, jpeg, js, png, and gif + files provided by the popular chenille-kit 3rd party library. The default configuration denies access to all other + assets. To enable access to your application's assets, either contribute a custom AssetPathAnalyzer, or contribute + appropriate regular expression or exact path contributions to RegexAuthorizer or WhitelistAuthorizer, respectively. + See TapestryModule.contribteRegexAuthorizer for examples. + + Performance Notes Assets are expected to be entirely static (not changing while the application is deployed). When Tapestry generates a URL @@ -146,4 +171,4 @@ asset. In addition, Tapestry will {{{compress.html}GZIP compress}} the content of assets (if the asset - is compressable, and the client supports it). \ No newline at end of file + is compressable, and the client supports it). Added: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java?rev=834151&view=auto == --- tape
[jira] Commented: (TAP5-633) Allow page classes to have a "Page" suffix that is not included in the URL
[ https://issues.apache.org/jira/browse/TAP5-633?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774946#action_12774946 ] Paul Field commented on TAP5-633: - Thanks for the URL rewriting idea - I've tried it out quickly but I wasn't keen that I still had to use the Page postfix in the .tml files (e.g. when creating a link to the page) - I think that would be confusing. I also had a quick go at advising ComponentClassResolver, but I realised that when Tapestry reports the list of known components (on startup and on exception pages) it would still list the paths including the "Page" postfix - which, again, I think would be confusing. > Allow page classes to have a "Page" suffix that is not included in the URL > -- > > Key: TAP5-633 > URL: https://issues.apache.org/jira/browse/TAP5-633 > Project: Tapestry 5 > Issue Type: Improvement > Components: tapestry-core >Affects Versions: 5.1.0.2 >Reporter: Paul Field >Priority: Minor > > I have an application with a lot of read-only pages. For example, I have a > page that shows a company and I would like a URI such as: /company/1234 > However, if I name the page class "Company" then I get a naming clash with > the domain object "Company". What I would like to do is call the Tapestry 5 > class "CompanyPage" - after all, that is what the class represents and it's > certainly how the team refers to that thing internally and with our business > (i.e. "Have you seen the new company page?"). > So, please could the ComponentClassResolverImpl remove the suffix "Page" (if > it exists) from the class name when it constructs the logical page name? -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.