Re: Projects and sites powered by Tapestry
rvletRequest request, >>> HttpServletResponse response, HttpServletRequestHandler handler) >>> throws IOException >>> { >>> String path = request.getServletPath(); >>> >>> if (path.startsWith("/assets") && >>> (!assetsWhitelist.contains( >>> >>> StringUtils.lowerCase(FilenameUtils.getExtension(path) >>> { >>> logger.warn("access to asset " + path + " denied"); >>> >>> response.sendRedirect(request.getContextPath() + "/" + >>> accessDeniedPage); >>> >>> return true; >>> } >>> >>> return handler.service(request, response); >>> } >>> }; >>> >>> configuration.add("AssetProtectionFilter", filter , "before:*"); >>> } >>> >>> >>>> Sergey Didenko wrote: >>>>> BTW, it's worth to remind again everyone who is going to publish their >>>>> site urls, to close the access to ".class" and ".tml" files . >>>>> >>>>> On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti >>>>> wrote: >>>>>> On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula >>>>>> Figueiredo wrote: >>>>>> >>>>>>> Hi! >>>>>>> >>>>>>> I guess this was already discussed some time ago, but I couldn't >>>>>>> find >>>>>>> it. :( >>>>>>> Anyway, it's been a long time, so let's get it started again. ;) >>>>>>> >>>>>>> Tapestry is a wonderful framework, but it isn't the best known one >>>>>>> around. >>>>>>> Sometimes, managers ask us to provide some projects/sites/success >>>>>>> stories/etc using it so they can be more confident about Tapestry. >>>>>>> There's a >>>>>>> Success Stories page in the wiki >>>>>>> (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had >>>>>>> any >>>>>>> edit >>>>>>> since 2007-10-05. >>>>>>> >>>>>>> What about sharing your success stories with us, promoting Tapestry >>>>>>> (specially T5)? If the project is a public website, please post the >>>>>>> URL >>>>>>> here. I think we should have a list of Tapestry-powered sites. >>>>>>> >>>>>>> Thanks in advance. >>>>>> It would be great to have that page more up to date but i remember >>>>>> Howard asking for "private" user stories and more then one have >>>>>> replied him even personally so i guess if that would make sense too >>>>>> to >>>>>> have that stories online. >>>>>> Do i remember correctly Howard? >>>>>> >>>>>> -- >>>>>> Massimo >>>>>> http://meridio.blogspot.com >>>>>> >>>>>> - >>>>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>>>>> For additional commands, e-mail: users-h...@tapestry.apache.org >>>>>> >>>>>> >>>>> - >>>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>>>> For additional commands, e-mail: users-h...@tapestry.apache.org >>>>> >>>>> >>>>> >>> >>> -- >>> Djigzo open source email encryption >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>> For additional commands, e-mail: users-h...@tapestry.apache.org >>> >>> >>> >> > > > -- > Djigzo open source email encryption > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > > -- View this message in context: http://www.nabble.com/Projects-and-sites-powered-by-Tapestry-tp25348447p25732434.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Projects and sites powered by Tapestry
A solution to this problem has been posted multiple times. It has even been posted in this thread but I'll post it again I use the following code to whitelist some assets. Access to non white listed assets is denied. Add to your application module: private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png", "gif", "js", "css", "ico"}; /* * All the assets that are allowed to be downloaded using the assets service (including files without extension and dirs) */ private static final Set assetsWhitelist = Collections.synchronizedSet( new HashSet(Arrays.asList(ASSET_WHITE_LIST))); public void contributeHttpServletRequestHandler(OrderedConfiguration configuration, @Inject @Value("${access-denied-page}") final String accessDeniedPage) { /* * Create a filter that will block access to some assets. The asset service allows access to some assets we do * not want to expose. The asset service will show all files in /assets/ directory and allows you (by default) * to download some files which you do not want to expose. */ HttpServletRequestFilter filter = new HttpServletRequestFilter() { public boolean service(HttpServletRequest request, HttpServletResponse response, HttpServletRequestHandler handler) throws IOException { String path = request.getServletPath(); if (path.startsWith("/assets") && (!assetsWhitelist.contains( StringUtils.lowerCase(FilenameUtils.getExtension(path) { logger.warn("access to asset " + path + " denied"); response.sendRedirect(request.getContextPath() + "/" + accessDeniedPage); return true; } return handler.service(request, response); } }; configuration.add("AssetProtectionFilter", filter , "before:*"); } Angelo Chen wrote: Hi, I use the code to protect assets, here is the url: http://example.com/assets http://example.com/assets/ the first url, following code works, second URL, if it runs in jetty, the code works, but if it is under tomcat 6, it still lists files under WEB-INF, any idea? Thanks, martijn.list wrote: Angelo Chen wrote: how to close access to ".class" and ".tml"? This has been posted to the list multiple times so I another time wouldn't hurt ;) I use the following code to whitelist some assets. Access to non white listed assets is denied. Add to your application module: private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png", "gif", "js", "css", "ico"}; /* * All the assets that are allowed to be downloaded using the assets service (including files without extension and dirs) */ private static final Set assetsWhitelist = Collections.synchronizedSet( new HashSet(Arrays.asList(ASSET_WHITE_LIST))); public void contributeHttpServletRequestHandler(OrderedConfiguration configuration, @Inject @Value("${access-denied-page}") final String accessDeniedPage) { /* * Create a filter that will block access to some assets. The asset service allows access to some assets we do * not want to expose. The asset service will show all files in /assets/ directory and allows you (by default) * to download some files which you do not want to expose. */ HttpServletRequestFilter filter = new HttpServletRequestFilter() { public boolean service(HttpServletRequest request, HttpServletResponse response, HttpServletRequestHandler handler) throws IOException { String path = request.getServletPath(); if (path.startsWith("/assets") && (!assetsWhitelist.contains( StringUtils.lowerCase(FilenameUtils.getExtension(path) { logger.warn("access to asset " + path + " denied"); response.sendRedirect(request.getContextPath() + "/" + accessDeniedPage); return true; } return handler.service(request, response); } }; configuration.add("AssetProtectionFilter", filter , "before:*"); } Sergey Didenko wrote: BTW, it's worth to remind again everyone who is going to publish their site urls, to close the access to ".class" and ".tml" files . On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti wrote: On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula Figueiredo wrote: Hi! I guess this was already discussed some time ago, but I couldn't find it. :( Anyway, it's been a long time, so let's get it started again. ;) Tapestry is a wonderful framework, but it isn't the best known one around. Sometimes, managers ask us to provide some projects/sites/success stories/etc using it so they can be more confident about Tapestry. There's a Success Stories page in the wiki (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had any edit since 2007-10-05. What about sharing your success stories with us, pr
Re: Projects and sites powered by Tapestry
Hi, I use the code to protect assets, here is the url: http://example.com/assets http://example.com/assets/ the first url, following code works, second URL, if it runs in jetty, the code works, but if it is under tomcat 6, it still lists files under WEB-INF, any idea? Thanks, martijn.list wrote: > > Angelo Chen wrote: >> how to close access to ".class" and ".tml"? >> > > > This has been posted to the list multiple times so I another time > wouldn't hurt ;) > > > I use the following code to whitelist some assets. Access to non white > listed assets is denied. > > Add to your application module: > > > private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png", > "gif", "js", "css", "ico"}; > > /* > * All the assets that are allowed to be downloaded using the assets > service (including files without extension and dirs) > */ > private static final Set assetsWhitelist = > Collections.synchronizedSet( > new HashSet(Arrays.asList(ASSET_WHITE_LIST))); > > public void > contributeHttpServletRequestHandler(OrderedConfiguration > > configuration, > @Inject @Value("${access-denied-page}") final String > accessDeniedPage) > { > /* > * Create a filter that will block access to some assets. The asset > service allows access to some assets we do > * not want to expose. The asset service will show all files in > /assets/ directory and allows you (by default) > * to download some files which you do not want to expose. > */ > HttpServletRequestFilter filter = new HttpServletRequestFilter() > { > public boolean service(HttpServletRequest request, > HttpServletResponse response, HttpServletRequestHandler handler) > throws IOException > { > String path = request.getServletPath(); > > if (path.startsWith("/assets") && (!assetsWhitelist.contains( > > StringUtils.lowerCase(FilenameUtils.getExtension(path) > { > logger.warn("access to asset " + path + " denied"); > > response.sendRedirect(request.getContextPath() + "/" + > accessDeniedPage); > > return true; > } > > return handler.service(request, response); > } > }; > > configuration.add("AssetProtectionFilter", filter , "before:*"); > } > > >> >> Sergey Didenko wrote: >>> BTW, it's worth to remind again everyone who is going to publish their >>> site urls, to close the access to ".class" and ".tml" files . >>> >>> On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti >>> wrote: >>>> On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula >>>> Figueiredo wrote: >>>> >>>>> Hi! >>>>> >>>>> I guess this was already discussed some time ago, but I couldn't find >>>>> it. :( >>>>> Anyway, it's been a long time, so let's get it started again. ;) >>>>> >>>>> Tapestry is a wonderful framework, but it isn't the best known one >>>>> around. >>>>> Sometimes, managers ask us to provide some projects/sites/success >>>>> stories/etc using it so they can be more confident about Tapestry. >>>>> There's a >>>>> Success Stories page in the wiki >>>>> (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had >>>>> any >>>>> edit >>>>> since 2007-10-05. >>>>> >>>>> What about sharing your success stories with us, promoting Tapestry >>>>> (specially T5)? If the project is a public website, please post the >>>>> URL >>>>> here. I think we should have a list of Tapestry-powered sites. >>>>> >>>>> Thanks in advance. >>>> It would be great to have that page more up to date but i remember >>>> Howard asking for "private" user stories and more then one have >>>> replied him even personally so i guess if that would make sense too to >>>> have that stories online. >>>> Do i remember correctly Howard? >>>> >>>> -- >>>> Massimo >>>> http://meridio.blogspot.com >>>> >>>> -
Re: Projects and sites powered by Tapestry
gt;>>> >> >>>> Hi! >> >>>>> >> >>>>> I guess this was already discussed some time ago, but I couldn't >> find >> >>>>> it. :( >> >>>>> Anyway, it's been a long time, so let's get it started again. ;) >> >>>>> >> >>>>> Tapestry is a wonderful framework, but it isn't the best known one >> >>>>> around. >> >>>>> Sometimes, managers ask us to provide some projects/sites/success >> >>>>> stories/etc using it so they can be more confident about Tapestry. >> >>>>> There's a >> >>>>> Success Stories page in the wiki >> >>>>> (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had >> >>>>> any >> >>>>> edit >> >>>>> since 2007-10-05. >> >>>>> >> >>>>> What about sharing your success stories with us, promoting Tapestry >> >>>>> (specially T5)? If the project is a public website, please post the >> URL >> >>>>> here. I think we should have a list of Tapestry-powered sites. >> >>>>> >> >>>>> Thanks in advance. >> >>>>> >> >>>> It would be great to have that page more up to date but i remember >> >>>> Howard asking for "private" user stories and more then one have >> >>>> replied him even personally so i guess if that would make sense too >> to >> >>>> have that stories online. >> >>>> Do i remember correctly Howard? >> >>>> >> >>>> -- >> >>>> Massimo >> >>>> http://meridio.blogspot.com >> >>>> >> >>>> >> - >> >>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> >>>> For additional commands, e-mail: users-h...@tapestry.apache.org >> >>>> >> >>>> >> >>>> >> - >> >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> >>> For additional commands, e-mail: users-h...@tapestry.apache.org >> >>> >> >>> >> >>> >> >>> >> >> >> > >> > -- >> > Djigzo open source email encryption >> > >> > - >> > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> > For additional commands, e-mail: users-h...@tapestry.apache.org >> > >> > >> > > -- View this message in context: http://www.nabble.com/Projects-and-sites-powered-by-Tapestry-tp25348447p25727490.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Projects and sites powered by Tapestry
Thanks for the detailed info, Alex. There is so much to learn. I hope this hole gets patched soon. Benny On Thu, Sep 10, 2009 at 9:41 AM, Alex Kotchnev wrote: > Benny, > indeed that would be the case for a "traditional" web framework that > serves web application assets (e.g. stylesheets, images, javascript) only > from the publicly available directories (e.g. outside of WEB-INF). However, > because of T5's component nature , if you deployed a component (e.g. as a > jar in the web app) it might need to access assets from the classpath (e.g. > from the component jar). Hence, currently there is a wide gaping security > whole in a "stock" T5 application's Asset service, that it can access any > files on the classpath (e.g. property files, .tml source, etc). There is an > issue filed for this , some improvements in T5.1, and a few decent > solutions > (as the posting above mentions), but the framework is still very > vulnerable. > > > Cheers, > > Alex K > > On Thu, Sep 10, 2009 at 8:56 AM, Benny Law wrote: > > > Pardon me if I am mistaken, but shouldn't .class and .tml files be under > > WEB-INF and hence inaccessible automatically? > > > > Benny > > > > On Thu, Sep 10, 2009 at 2:52 AM, martijn.list > >wrote: > > > > > Angelo Chen wrote: > > > > > >> how to close access to ".class" and ".tml"? > > >> > > >> > > > > > > This has been posted to the list multiple times so I another time > > wouldn't > > > hurt ;) > > > > > > > > > I use the following code to whitelist some assets. Access to non white > > > listed assets is denied. > > > > > > Add to your application module: > > > > > > > > > private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png", > > > "gif", "js", "css", "ico"}; > > > > > > /* > > > * All the assets that are allowed to be downloaded using the assets > > > service (including files without extension and dirs) > > > */ > > > private static final Set assetsWhitelist = > > > Collections.synchronizedSet( > > >new HashSet(Arrays.asList(ASSET_WHITE_LIST))); > > > > > > public void > > > > > > contributeHttpServletRequestHandler(OrderedConfiguration > > > configuration, > > >@Inject @Value("${access-denied-page}") final String > > > accessDeniedPage) > > > { > > >/* > > > * Create a filter that will block access to some assets. The asset > > > service allows access to some assets we do > > > * not want to expose. The asset service will show all files in > > /assets/ > > > directory and allows you (by default) > > > * to download some files which you do not want to expose. > > > */ > > >HttpServletRequestFilter filter = new HttpServletRequestFilter() > > >{ > > >public boolean service(HttpServletRequest request, > > > HttpServletResponse response, HttpServletRequestHandler handler) > > >throws IOException > > >{ > > >String path = request.getServletPath(); > > > > > >if (path.startsWith("/assets") && > (!assetsWhitelist.contains( > > > > > > StringUtils.lowerCase(FilenameUtils.getExtension(path) > > >{ > > >logger.warn("access to asset " + path + " denied"); > > > > > >response.sendRedirect(request.getContextPath() + "/" + > > > accessDeniedPage); > > > > > >return true; > > >} > > > > > >return handler.service(request, response); > > >} > > >}; > > > > > >configuration.add("AssetProtectionFilter", filter , "before:*"); > > > } > > > > > > > > > > > >> Sergey Didenko wrote: > > >> > > >>> BTW, it's worth to remind again everyone who is going to publish > their > > >>> site urls, to close the access to ".class" and ".tml" files . > > >>> > > >>> On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti > > >>> wrote: > > >>> > > On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula > > Figueiredo wrote: > > > > Hi! > > > > > > I guess this was already discussed some time ago, but I couldn't > find > > > it. :( > > > Anyway, it's been a long time, so let's get it started again. ;) > > > > > > Tapestry is a wonderful framework, but it isn't the best known one > > > around. > > > Sometimes, managers ask us to provide some projects/sites/success > > > stories/etc using it so they can be more confident about Tapestry. > > > There's a > > > Success Stories page in the wiki > > > (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't > had > > > any > > > edit > > > since 2007-10-05. > > > > > > What about sharing your success stories with us, promoting Tapestry > > > (specially T5)? If the project is a public website, please post the > > URL > > > here. I think we should have a list of Tapestry-powered sites. > > > > > > Thanks in advance. > > > > > It would be great to have that page more up to date but i remember > > Howard asking for "private" user stories and more then one hav
Re: Projects and sites powered by Tapestry
Benny, indeed that would be the case for a "traditional" web framework that serves web application assets (e.g. stylesheets, images, javascript) only from the publicly available directories (e.g. outside of WEB-INF). However, because of T5's component nature , if you deployed a component (e.g. as a jar in the web app) it might need to access assets from the classpath (e.g. from the component jar). Hence, currently there is a wide gaping security whole in a "stock" T5 application's Asset service, that it can access any files on the classpath (e.g. property files, .tml source, etc). There is an issue filed for this , some improvements in T5.1, and a few decent solutions (as the posting above mentions), but the framework is still very vulnerable. Cheers, Alex K On Thu, Sep 10, 2009 at 8:56 AM, Benny Law wrote: > Pardon me if I am mistaken, but shouldn't .class and .tml files be under > WEB-INF and hence inaccessible automatically? > > Benny > > On Thu, Sep 10, 2009 at 2:52 AM, martijn.list >wrote: > > > Angelo Chen wrote: > > > >> how to close access to ".class" and ".tml"? > >> > >> > > > > This has been posted to the list multiple times so I another time > wouldn't > > hurt ;) > > > > > > I use the following code to whitelist some assets. Access to non white > > listed assets is denied. > > > > Add to your application module: > > > > > > private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png", > > "gif", "js", "css", "ico"}; > > > > /* > > * All the assets that are allowed to be downloaded using the assets > > service (including files without extension and dirs) > > */ > > private static final Set assetsWhitelist = > > Collections.synchronizedSet( > >new HashSet(Arrays.asList(ASSET_WHITE_LIST))); > > > > public void > > > contributeHttpServletRequestHandler(OrderedConfiguration > > configuration, > >@Inject @Value("${access-denied-page}") final String > > accessDeniedPage) > > { > >/* > > * Create a filter that will block access to some assets. The asset > > service allows access to some assets we do > > * not want to expose. The asset service will show all files in > /assets/ > > directory and allows you (by default) > > * to download some files which you do not want to expose. > > */ > >HttpServletRequestFilter filter = new HttpServletRequestFilter() > >{ > >public boolean service(HttpServletRequest request, > > HttpServletResponse response, HttpServletRequestHandler handler) > >throws IOException > >{ > >String path = request.getServletPath(); > > > >if (path.startsWith("/assets") && (!assetsWhitelist.contains( > > > > StringUtils.lowerCase(FilenameUtils.getExtension(path) > >{ > >logger.warn("access to asset " + path + " denied"); > > > >response.sendRedirect(request.getContextPath() + "/" + > > accessDeniedPage); > > > >return true; > >} > > > >return handler.service(request, response); > >} > >}; > > > >configuration.add("AssetProtectionFilter", filter , "before:*"); > > } > > > > > > > >> Sergey Didenko wrote: > >> > >>> BTW, it's worth to remind again everyone who is going to publish their > >>> site urls, to close the access to ".class" and ".tml" files . > >>> > >>> On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti > >>> wrote: > >>> > On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula > Figueiredo wrote: > > Hi! > > > > I guess this was already discussed some time ago, but I couldn't find > > it. :( > > Anyway, it's been a long time, so let's get it started again. ;) > > > > Tapestry is a wonderful framework, but it isn't the best known one > > around. > > Sometimes, managers ask us to provide some projects/sites/success > > stories/etc using it so they can be more confident about Tapestry. > > There's a > > Success Stories page in the wiki > > (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had > > any > > edit > > since 2007-10-05. > > > > What about sharing your success stories with us, promoting Tapestry > > (specially T5)? If the project is a public website, please post the > URL > > here. I think we should have a list of Tapestry-powered sites. > > > > Thanks in advance. > > > It would be great to have that page more up to date but i remember > Howard asking for "private" user stories and more then one have > replied him even personally so i guess if that would make sense too to > have that stories online. > Do i remember correctly Howard? > > -- > Massimo > http://meridio.blogspot.com > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Projects and sites powered by Tapestry
Pardon me if I am mistaken, but shouldn't .class and .tml files be under WEB-INF and hence inaccessible automatically? Benny On Thu, Sep 10, 2009 at 2:52 AM, martijn.list wrote: > Angelo Chen wrote: > >> how to close access to ".class" and ".tml"? >> >> > > This has been posted to the list multiple times so I another time wouldn't > hurt ;) > > > I use the following code to whitelist some assets. Access to non white > listed assets is denied. > > Add to your application module: > > > private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png", > "gif", "js", "css", "ico"}; > > /* > * All the assets that are allowed to be downloaded using the assets > service (including files without extension and dirs) > */ > private static final Set assetsWhitelist = > Collections.synchronizedSet( >new HashSet(Arrays.asList(ASSET_WHITE_LIST))); > > public void > contributeHttpServletRequestHandler(OrderedConfiguration > configuration, >@Inject @Value("${access-denied-page}") final String > accessDeniedPage) > { >/* > * Create a filter that will block access to some assets. The asset > service allows access to some assets we do > * not want to expose. The asset service will show all files in /assets/ > directory and allows you (by default) > * to download some files which you do not want to expose. > */ >HttpServletRequestFilter filter = new HttpServletRequestFilter() >{ >public boolean service(HttpServletRequest request, > HttpServletResponse response, HttpServletRequestHandler handler) >throws IOException >{ >String path = request.getServletPath(); > >if (path.startsWith("/assets") && (!assetsWhitelist.contains( > > StringUtils.lowerCase(FilenameUtils.getExtension(path) >{ >logger.warn("access to asset " + path + " denied"); > >response.sendRedirect(request.getContextPath() + "/" + > accessDeniedPage); > >return true; >} > >return handler.service(request, response); >} >}; > >configuration.add("AssetProtectionFilter", filter , "before:*"); > } > > > >> Sergey Didenko wrote: >> >>> BTW, it's worth to remind again everyone who is going to publish their >>> site urls, to close the access to ".class" and ".tml" files . >>> >>> On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti >>> wrote: >>> On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula Figueiredo wrote: Hi! > > I guess this was already discussed some time ago, but I couldn't find > it. :( > Anyway, it's been a long time, so let's get it started again. ;) > > Tapestry is a wonderful framework, but it isn't the best known one > around. > Sometimes, managers ask us to provide some projects/sites/success > stories/etc using it so they can be more confident about Tapestry. > There's a > Success Stories page in the wiki > (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had > any > edit > since 2007-10-05. > > What about sharing your success stories with us, promoting Tapestry > (specially T5)? If the project is a public website, please post the URL > here. I think we should have a list of Tapestry-powered sites. > > Thanks in advance. > It would be great to have that page more up to date but i remember Howard asking for "private" user stories and more then one have replied him even personally so i guess if that would make sense too to have that stories online. Do i remember correctly Howard? -- Massimo http://meridio.blogspot.com - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org - >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>> For additional commands, e-mail: users-h...@tapestry.apache.org >>> >>> >>> >>> >> > > -- > Djigzo open source email encryption > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > >
Re: Projects and sites powered by Tapestry
Angelo Chen wrote: how to close access to ".class" and ".tml"? This has been posted to the list multiple times so I another time wouldn't hurt ;) I use the following code to whitelist some assets. Access to non white listed assets is denied. Add to your application module: private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png", "gif", "js", "css", "ico"}; /* * All the assets that are allowed to be downloaded using the assets service (including files without extension and dirs) */ private static final Set assetsWhitelist = Collections.synchronizedSet( new HashSet(Arrays.asList(ASSET_WHITE_LIST))); public void contributeHttpServletRequestHandler(OrderedConfiguration configuration, @Inject @Value("${access-denied-page}") final String accessDeniedPage) { /* * Create a filter that will block access to some assets. The asset service allows access to some assets we do * not want to expose. The asset service will show all files in /assets/ directory and allows you (by default) * to download some files which you do not want to expose. */ HttpServletRequestFilter filter = new HttpServletRequestFilter() { public boolean service(HttpServletRequest request, HttpServletResponse response, HttpServletRequestHandler handler) throws IOException { String path = request.getServletPath(); if (path.startsWith("/assets") && (!assetsWhitelist.contains( StringUtils.lowerCase(FilenameUtils.getExtension(path) { logger.warn("access to asset " + path + " denied"); response.sendRedirect(request.getContextPath() + "/" + accessDeniedPage); return true; } return handler.service(request, response); } }; configuration.add("AssetProtectionFilter", filter , "before:*"); } Sergey Didenko wrote: BTW, it's worth to remind again everyone who is going to publish their site urls, to close the access to ".class" and ".tml" files . On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti wrote: On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula Figueiredo wrote: Hi! I guess this was already discussed some time ago, but I couldn't find it. :( Anyway, it's been a long time, so let's get it started again. ;) Tapestry is a wonderful framework, but it isn't the best known one around. Sometimes, managers ask us to provide some projects/sites/success stories/etc using it so they can be more confident about Tapestry. There's a Success Stories page in the wiki (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had any edit since 2007-10-05. What about sharing your success stories with us, promoting Tapestry (specially T5)? If the project is a public website, please post the URL here. I think we should have a list of Tapestry-powered sites. Thanks in advance. It would be great to have that page more up to date but i remember Howard asking for "private" user stories and more then one have replied him even personally so i guess if that would make sense too to have that stories online. Do i remember correctly Howard? -- Massimo http://meridio.blogspot.com - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org -- Djigzo open source email encryption - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Projects and sites powered by Tapestry
how to close access to ".class" and ".tml"? Sergey Didenko wrote: > > BTW, it's worth to remind again everyone who is going to publish their > site urls, to close the access to ".class" and ".tml" files . > > On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti > wrote: >> On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula >> Figueiredo wrote: >> >>> Hi! >>> >>> I guess this was already discussed some time ago, but I couldn't find >>> it. :( >>> Anyway, it's been a long time, so let's get it started again. ;) >>> >>> Tapestry is a wonderful framework, but it isn't the best known one >>> around. >>> Sometimes, managers ask us to provide some projects/sites/success >>> stories/etc using it so they can be more confident about Tapestry. >>> There's a >>> Success Stories page in the wiki >>> (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had any >>> edit >>> since 2007-10-05. >>> >>> What about sharing your success stories with us, promoting Tapestry >>> (specially T5)? If the project is a public website, please post the URL >>> here. I think we should have a list of Tapestry-powered sites. >>> >>> Thanks in advance. >> >> It would be great to have that page more up to date but i remember >> Howard asking for "private" user stories and more then one have >> replied him even personally so i guess if that would make sense too to >> have that stories online. >> Do i remember correctly Howard? >> >> -- >> Massimo >> http://meridio.blogspot.com >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> For additional commands, e-mail: users-h...@tapestry.apache.org >> >> > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > > -- View this message in context: http://www.nabble.com/Projects-and-sites-powered-by-Tapestry-tp25348447p25375291.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Projects and sites powered by Tapestry
BTW, it's worth to remind again everyone who is going to publish their site urls, to close the access to ".class" and ".tml" files . On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti wrote: > On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula > Figueiredo wrote: > >> Hi! >> >> I guess this was already discussed some time ago, but I couldn't find it. :( >> Anyway, it's been a long time, so let's get it started again. ;) >> >> Tapestry is a wonderful framework, but it isn't the best known one around. >> Sometimes, managers ask us to provide some projects/sites/success >> stories/etc using it so they can be more confident about Tapestry. There's a >> Success Stories page in the wiki >> (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had any edit >> since 2007-10-05. >> >> What about sharing your success stories with us, promoting Tapestry >> (specially T5)? If the project is a public website, please post the URL >> here. I think we should have a list of Tapestry-powered sites. >> >> Thanks in advance. > > It would be great to have that page more up to date but i remember > Howard asking for "private" user stories and more then one have > replied him even personally so i guess if that would make sense too to > have that stories online. > Do i remember correctly Howard? > > -- > Massimo > http://meridio.blogspot.com > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Projects and sites powered by Tapestry
On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula Figueiredo wrote: > Hi! > > I guess this was already discussed some time ago, but I couldn't find it. :( > Anyway, it's been a long time, so let's get it started again. ;) > > Tapestry is a wonderful framework, but it isn't the best known one around. > Sometimes, managers ask us to provide some projects/sites/success > stories/etc using it so they can be more confident about Tapestry. There's a > Success Stories page in the wiki > (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had any edit > since 2007-10-05. > > What about sharing your success stories with us, promoting Tapestry > (specially T5)? If the project is a public website, please post the URL > here. I think we should have a list of Tapestry-powered sites. > > Thanks in advance. It would be great to have that page more up to date but i remember Howard asking for "private" user stories and more then one have replied him even personally so i guess if that would make sense too to have that stories online. Do i remember correctly Howard? -- Massimo http://meridio.blogspot.com - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Projects and sites powered by Tapestry
Hi! I guess this was already discussed some time ago, but I couldn't find it. :( Anyway, it's been a long time, so let's get it started again. ;) Tapestry is a wonderful framework, but it isn't the best known one around. Sometimes, managers ask us to provide some projects/sites/success stories/etc using it so they can be more confident about Tapestry. There's a Success Stories page in the wiki (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had any edit since 2007-10-05. What about sharing your success stories with us, promoting Tapestry (specially T5)? If the project is a public website, please post the URL here. I think we should have a list of Tapestry-powered sites. Thanks in advance. -- Thiago H. de Paula Figueiredo Independent Java consultant, developer, and instructor http://www.arsmachina.com.br/thiago - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org