Re: Projects and sites powered by Tapestry
rvletRequest request,
>>> HttpServletResponse response, HttpServletRequestHandler handler)
>>> throws IOException
>>> {
>>> String path = request.getServletPath();
>>>
>>> if (path.startsWith("/assets") &&
>>> (!assetsWhitelist.contains(
>>>
>>> StringUtils.lowerCase(FilenameUtils.getExtension(path)
>>> {
>>> logger.warn("access to asset " + path + " denied");
>>>
>>> response.sendRedirect(request.getContextPath() + "/" +
>>> accessDeniedPage);
>>>
>>> return true;
>>> }
>>>
>>> return handler.service(request, response);
>>> }
>>> };
>>>
>>> configuration.add("AssetProtectionFilter", filter , "before:*");
>>> }
>>>
>>>
>>>> Sergey Didenko wrote:
>>>>> BTW, it's worth to remind again everyone who is going to publish their
>>>>> site urls, to close the access to ".class" and ".tml" files .
>>>>>
>>>>> On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti
>>>>> wrote:
>>>>>> On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula
>>>>>> Figueiredo wrote:
>>>>>>
>>>>>>> Hi!
>>>>>>>
>>>>>>> I guess this was already discussed some time ago, but I couldn't
>>>>>>> find
>>>>>>> it. :(
>>>>>>> Anyway, it's been a long time, so let's get it started again. ;)
>>>>>>>
>>>>>>> Tapestry is a wonderful framework, but it isn't the best known one
>>>>>>> around.
>>>>>>> Sometimes, managers ask us to provide some projects/sites/success
>>>>>>> stories/etc using it so they can be more confident about Tapestry.
>>>>>>> There's a
>>>>>>> Success Stories page in the wiki
>>>>>>> (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had
>>>>>>> any
>>>>>>> edit
>>>>>>> since 2007-10-05.
>>>>>>>
>>>>>>> What about sharing your success stories with us, promoting Tapestry
>>>>>>> (specially T5)? If the project is a public website, please post the
>>>>>>> URL
>>>>>>> here. I think we should have a list of Tapestry-powered sites.
>>>>>>>
>>>>>>> Thanks in advance.
>>>>>> It would be great to have that page more up to date but i remember
>>>>>> Howard asking for "private" user stories and more then one have
>>>>>> replied him even personally so i guess if that would make sense too
>>>>>> to
>>>>>> have that stories online.
>>>>>> Do i remember correctly Howard?
>>>>>>
>>>>>> --
>>>>>> Massimo
>>>>>> http://meridio.blogspot.com
>>>>>>
>>>>>> -
>>>>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>>>>>> For additional commands, e-mail: users-h...@tapestry.apache.org
>>>>>>
>>>>>>
>>>>> -
>>>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>>>>> For additional commands, e-mail: users-h...@tapestry.apache.org
>>>>>
>>>>>
>>>>>
>>>
>>> --
>>> Djigzo open source email encryption
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>>> For additional commands, e-mail: users-h...@tapestry.apache.org
>>>
>>>
>>>
>>
>
>
> --
> Djigzo open source email encryption
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: users-h...@tapestry.apache.org
>
>
>
--
View this message in context:
http://www.nabble.com/Projects-and-sites-powered-by-Tapestry-tp25348447p25732434.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Projects and sites powered by Tapestry
A solution to this problem has been posted multiple times. It has even
been posted in this thread but I'll post it again
I use the following code to whitelist some assets. Access to non white
listed assets is denied.
Add to your application module:
private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png",
"gif", "js", "css", "ico"};
/*
* All the assets that are allowed to be downloaded using the assets
service (including files without extension and dirs)
*/
private static final Set assetsWhitelist =
Collections.synchronizedSet(
new HashSet(Arrays.asList(ASSET_WHITE_LIST)));
public void
contributeHttpServletRequestHandler(OrderedConfiguration
configuration,
@Inject @Value("${access-denied-page}") final String
accessDeniedPage)
{
/*
* Create a filter that will block access to some assets. The asset
service allows access to some assets we do
* not want to expose. The asset service will show all files in
/assets/ directory and allows you (by default)
* to download some files which you do not want to expose.
*/
HttpServletRequestFilter filter = new HttpServletRequestFilter()
{
public boolean service(HttpServletRequest request,
HttpServletResponse response, HttpServletRequestHandler handler)
throws IOException
{
String path = request.getServletPath();
if (path.startsWith("/assets") && (!assetsWhitelist.contains(
StringUtils.lowerCase(FilenameUtils.getExtension(path)
{
logger.warn("access to asset " + path + " denied");
response.sendRedirect(request.getContextPath() + "/" +
accessDeniedPage);
return true;
}
return handler.service(request, response);
}
};
configuration.add("AssetProtectionFilter", filter , "before:*");
}
Angelo Chen wrote:
Hi,
I use the code to protect assets, here is the url:
http://example.com/assets
http://example.com/assets/
the first url, following code works, second URL, if it runs in jetty, the
code works, but if it is under tomcat 6, it still lists files under WEB-INF,
any idea? Thanks,
martijn.list wrote:
Angelo Chen wrote:
how to close access to ".class" and ".tml"?
This has been posted to the list multiple times so I another time
wouldn't hurt ;)
I use the following code to whitelist some assets. Access to non white
listed assets is denied.
Add to your application module:
private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png",
"gif", "js", "css", "ico"};
/*
* All the assets that are allowed to be downloaded using the assets
service (including files without extension and dirs)
*/
private static final Set assetsWhitelist =
Collections.synchronizedSet(
new HashSet(Arrays.asList(ASSET_WHITE_LIST)));
public void
contributeHttpServletRequestHandler(OrderedConfiguration
configuration,
@Inject @Value("${access-denied-page}") final String
accessDeniedPage)
{
/*
* Create a filter that will block access to some assets. The asset
service allows access to some assets we do
* not want to expose. The asset service will show all files in
/assets/ directory and allows you (by default)
* to download some files which you do not want to expose.
*/
HttpServletRequestFilter filter = new HttpServletRequestFilter()
{
public boolean service(HttpServletRequest request,
HttpServletResponse response, HttpServletRequestHandler handler)
throws IOException
{
String path = request.getServletPath();
if (path.startsWith("/assets") && (!assetsWhitelist.contains(
StringUtils.lowerCase(FilenameUtils.getExtension(path)
{
logger.warn("access to asset " + path + " denied");
response.sendRedirect(request.getContextPath() + "/" +
accessDeniedPage);
return true;
}
return handler.service(request, response);
}
};
configuration.add("AssetProtectionFilter", filter , "before:*");
}
Sergey Didenko wrote:
BTW, it's worth to remind again everyone who is going to publish their
site urls, to close the access to ".class" and ".tml" files .
On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti
wrote:
On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula
Figueiredo wrote:
Hi!
I guess this was already discussed some time ago, but I couldn't find
it. :(
Anyway, it's been a long time, so let's get it started again. ;)
Tapestry is a wonderful framework, but it isn't the best known one
around.
Sometimes, managers ask us to provide some projects/sites/success
stories/etc using it so they can be more confident about Tapestry.
There's a
Success Stories page in the wiki
(http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had
any
edit
since 2007-10-05.
What about sharing your success stories with us, pr
Re: Projects and sites powered by Tapestry
Hi,
I use the code to protect assets, here is the url:
http://example.com/assets
http://example.com/assets/
the first url, following code works, second URL, if it runs in jetty, the
code works, but if it is under tomcat 6, it still lists files under WEB-INF,
any idea? Thanks,
martijn.list wrote:
>
> Angelo Chen wrote:
>> how to close access to ".class" and ".tml"?
>>
>
>
> This has been posted to the list multiple times so I another time
> wouldn't hurt ;)
>
>
> I use the following code to whitelist some assets. Access to non white
> listed assets is denied.
>
> Add to your application module:
>
>
> private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png",
> "gif", "js", "css", "ico"};
>
> /*
> * All the assets that are allowed to be downloaded using the assets
> service (including files without extension and dirs)
> */
> private static final Set assetsWhitelist =
> Collections.synchronizedSet(
> new HashSet(Arrays.asList(ASSET_WHITE_LIST)));
>
> public void
> contributeHttpServletRequestHandler(OrderedConfiguration
>
> configuration,
> @Inject @Value("${access-denied-page}") final String
> accessDeniedPage)
> {
> /*
> * Create a filter that will block access to some assets. The asset
> service allows access to some assets we do
> * not want to expose. The asset service will show all files in
> /assets/ directory and allows you (by default)
> * to download some files which you do not want to expose.
> */
> HttpServletRequestFilter filter = new HttpServletRequestFilter()
> {
> public boolean service(HttpServletRequest request,
> HttpServletResponse response, HttpServletRequestHandler handler)
> throws IOException
> {
> String path = request.getServletPath();
>
> if (path.startsWith("/assets") && (!assetsWhitelist.contains(
>
> StringUtils.lowerCase(FilenameUtils.getExtension(path)
> {
> logger.warn("access to asset " + path + " denied");
>
> response.sendRedirect(request.getContextPath() + "/" +
> accessDeniedPage);
>
> return true;
> }
>
> return handler.service(request, response);
> }
> };
>
> configuration.add("AssetProtectionFilter", filter , "before:*");
> }
>
>
>>
>> Sergey Didenko wrote:
>>> BTW, it's worth to remind again everyone who is going to publish their
>>> site urls, to close the access to ".class" and ".tml" files .
>>>
>>> On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti
>>> wrote:
>>>> On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula
>>>> Figueiredo wrote:
>>>>
>>>>> Hi!
>>>>>
>>>>> I guess this was already discussed some time ago, but I couldn't find
>>>>> it. :(
>>>>> Anyway, it's been a long time, so let's get it started again. ;)
>>>>>
>>>>> Tapestry is a wonderful framework, but it isn't the best known one
>>>>> around.
>>>>> Sometimes, managers ask us to provide some projects/sites/success
>>>>> stories/etc using it so they can be more confident about Tapestry.
>>>>> There's a
>>>>> Success Stories page in the wiki
>>>>> (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had
>>>>> any
>>>>> edit
>>>>> since 2007-10-05.
>>>>>
>>>>> What about sharing your success stories with us, promoting Tapestry
>>>>> (specially T5)? If the project is a public website, please post the
>>>>> URL
>>>>> here. I think we should have a list of Tapestry-powered sites.
>>>>>
>>>>> Thanks in advance.
>>>> It would be great to have that page more up to date but i remember
>>>> Howard asking for "private" user stories and more then one have
>>>> replied him even personally so i guess if that would make sense too to
>>>> have that stories online.
>>>> Do i remember correctly Howard?
>>>>
>>>> --
>>>> Massimo
>>>> http://meridio.blogspot.com
>>>>
>>>> -
Re: Projects and sites powered by Tapestry
gt;>>> >> >>>> Hi! >> >>>>> >> >>>>> I guess this was already discussed some time ago, but I couldn't >> find >> >>>>> it. :( >> >>>>> Anyway, it's been a long time, so let's get it started again. ;) >> >>>>> >> >>>>> Tapestry is a wonderful framework, but it isn't the best known one >> >>>>> around. >> >>>>> Sometimes, managers ask us to provide some projects/sites/success >> >>>>> stories/etc using it so they can be more confident about Tapestry. >> >>>>> There's a >> >>>>> Success Stories page in the wiki >> >>>>> (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had >> >>>>> any >> >>>>> edit >> >>>>> since 2007-10-05. >> >>>>> >> >>>>> What about sharing your success stories with us, promoting Tapestry >> >>>>> (specially T5)? If the project is a public website, please post the >> URL >> >>>>> here. I think we should have a list of Tapestry-powered sites. >> >>>>> >> >>>>> Thanks in advance. >> >>>>> >> >>>> It would be great to have that page more up to date but i remember >> >>>> Howard asking for "private" user stories and more then one have >> >>>> replied him even personally so i guess if that would make sense too >> to >> >>>> have that stories online. >> >>>> Do i remember correctly Howard? >> >>>> >> >>>> -- >> >>>> Massimo >> >>>> http://meridio.blogspot.com >> >>>> >> >>>> >> - >> >>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> >>>> For additional commands, e-mail: users-h...@tapestry.apache.org >> >>>> >> >>>> >> >>>> >> - >> >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> >>> For additional commands, e-mail: users-h...@tapestry.apache.org >> >>> >> >>> >> >>> >> >>> >> >> >> > >> > -- >> > Djigzo open source email encryption >> > >> > - >> > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> > For additional commands, e-mail: users-h...@tapestry.apache.org >> > >> > >> > > -- View this message in context: http://www.nabble.com/Projects-and-sites-powered-by-Tapestry-tp25348447p25727490.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Projects and sites powered by Tapestry
Thanks for the detailed info, Alex. There is so much to learn. I hope this
hole gets patched soon.
Benny
On Thu, Sep 10, 2009 at 9:41 AM, Alex Kotchnev wrote:
> Benny,
> indeed that would be the case for a "traditional" web framework that
> serves web application assets (e.g. stylesheets, images, javascript) only
> from the publicly available directories (e.g. outside of WEB-INF). However,
> because of T5's component nature , if you deployed a component (e.g. as a
> jar in the web app) it might need to access assets from the classpath (e.g.
> from the component jar). Hence, currently there is a wide gaping security
> whole in a "stock" T5 application's Asset service, that it can access any
> files on the classpath (e.g. property files, .tml source, etc). There is an
> issue filed for this , some improvements in T5.1, and a few decent
> solutions
> (as the posting above mentions), but the framework is still very
> vulnerable.
>
>
> Cheers,
>
> Alex K
>
> On Thu, Sep 10, 2009 at 8:56 AM, Benny Law wrote:
>
> > Pardon me if I am mistaken, but shouldn't .class and .tml files be under
> > WEB-INF and hence inaccessible automatically?
> >
> > Benny
> >
> > On Thu, Sep 10, 2009 at 2:52 AM, martijn.list > >wrote:
> >
> > > Angelo Chen wrote:
> > >
> > >> how to close access to ".class" and ".tml"?
> > >>
> > >>
> > >
> > > This has been posted to the list multiple times so I another time
> > wouldn't
> > > hurt ;)
> > >
> > >
> > > I use the following code to whitelist some assets. Access to non white
> > > listed assets is denied.
> > >
> > > Add to your application module:
> > >
> > >
> > > private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png",
> > > "gif", "js", "css", "ico"};
> > >
> > > /*
> > > * All the assets that are allowed to be downloaded using the assets
> > > service (including files without extension and dirs)
> > > */
> > > private static final Set assetsWhitelist =
> > > Collections.synchronizedSet(
> > >new HashSet(Arrays.asList(ASSET_WHITE_LIST)));
> > >
> > > public void
> > >
> >
> contributeHttpServletRequestHandler(OrderedConfiguration
> > > configuration,
> > >@Inject @Value("${access-denied-page}") final String
> > > accessDeniedPage)
> > > {
> > >/*
> > > * Create a filter that will block access to some assets. The asset
> > > service allows access to some assets we do
> > > * not want to expose. The asset service will show all files in
> > /assets/
> > > directory and allows you (by default)
> > > * to download some files which you do not want to expose.
> > > */
> > >HttpServletRequestFilter filter = new HttpServletRequestFilter()
> > >{
> > >public boolean service(HttpServletRequest request,
> > > HttpServletResponse response, HttpServletRequestHandler handler)
> > >throws IOException
> > >{
> > >String path = request.getServletPath();
> > >
> > >if (path.startsWith("/assets") &&
> (!assetsWhitelist.contains(
> > >
> > > StringUtils.lowerCase(FilenameUtils.getExtension(path)
> > >{
> > >logger.warn("access to asset " + path + " denied");
> > >
> > >response.sendRedirect(request.getContextPath() + "/" +
> > > accessDeniedPage);
> > >
> > >return true;
> > >}
> > >
> > >return handler.service(request, response);
> > >}
> > >};
> > >
> > >configuration.add("AssetProtectionFilter", filter , "before:*");
> > > }
> > >
> > >
> > >
> > >> Sergey Didenko wrote:
> > >>
> > >>> BTW, it's worth to remind again everyone who is going to publish
> their
> > >>> site urls, to close the access to ".class" and ".tml" files .
> > >>>
> > >>> On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti
> > >>> wrote:
> > >>>
> > On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula
> > Figueiredo wrote:
> >
> > Hi!
> > >
> > > I guess this was already discussed some time ago, but I couldn't
> find
> > > it. :(
> > > Anyway, it's been a long time, so let's get it started again. ;)
> > >
> > > Tapestry is a wonderful framework, but it isn't the best known one
> > > around.
> > > Sometimes, managers ask us to provide some projects/sites/success
> > > stories/etc using it so they can be more confident about Tapestry.
> > > There's a
> > > Success Stories page in the wiki
> > > (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't
> had
> > > any
> > > edit
> > > since 2007-10-05.
> > >
> > > What about sharing your success stories with us, promoting Tapestry
> > > (specially T5)? If the project is a public website, please post the
> > URL
> > > here. I think we should have a list of Tapestry-powered sites.
> > >
> > > Thanks in advance.
> > >
> > It would be great to have that page more up to date but i remember
> > Howard asking for "private" user stories and more then one hav
Re: Projects and sites powered by Tapestry
Benny,
indeed that would be the case for a "traditional" web framework that
serves web application assets (e.g. stylesheets, images, javascript) only
from the publicly available directories (e.g. outside of WEB-INF). However,
because of T5's component nature , if you deployed a component (e.g. as a
jar in the web app) it might need to access assets from the classpath (e.g.
from the component jar). Hence, currently there is a wide gaping security
whole in a "stock" T5 application's Asset service, that it can access any
files on the classpath (e.g. property files, .tml source, etc). There is an
issue filed for this , some improvements in T5.1, and a few decent solutions
(as the posting above mentions), but the framework is still very vulnerable.
Cheers,
Alex K
On Thu, Sep 10, 2009 at 8:56 AM, Benny Law wrote:
> Pardon me if I am mistaken, but shouldn't .class and .tml files be under
> WEB-INF and hence inaccessible automatically?
>
> Benny
>
> On Thu, Sep 10, 2009 at 2:52 AM, martijn.list >wrote:
>
> > Angelo Chen wrote:
> >
> >> how to close access to ".class" and ".tml"?
> >>
> >>
> >
> > This has been posted to the list multiple times so I another time
> wouldn't
> > hurt ;)
> >
> >
> > I use the following code to whitelist some assets. Access to non white
> > listed assets is denied.
> >
> > Add to your application module:
> >
> >
> > private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png",
> > "gif", "js", "css", "ico"};
> >
> > /*
> > * All the assets that are allowed to be downloaded using the assets
> > service (including files without extension and dirs)
> > */
> > private static final Set assetsWhitelist =
> > Collections.synchronizedSet(
> >new HashSet(Arrays.asList(ASSET_WHITE_LIST)));
> >
> > public void
> >
> contributeHttpServletRequestHandler(OrderedConfiguration
> > configuration,
> >@Inject @Value("${access-denied-page}") final String
> > accessDeniedPage)
> > {
> >/*
> > * Create a filter that will block access to some assets. The asset
> > service allows access to some assets we do
> > * not want to expose. The asset service will show all files in
> /assets/
> > directory and allows you (by default)
> > * to download some files which you do not want to expose.
> > */
> >HttpServletRequestFilter filter = new HttpServletRequestFilter()
> >{
> >public boolean service(HttpServletRequest request,
> > HttpServletResponse response, HttpServletRequestHandler handler)
> >throws IOException
> >{
> >String path = request.getServletPath();
> >
> >if (path.startsWith("/assets") && (!assetsWhitelist.contains(
> >
> > StringUtils.lowerCase(FilenameUtils.getExtension(path)
> >{
> >logger.warn("access to asset " + path + " denied");
> >
> >response.sendRedirect(request.getContextPath() + "/" +
> > accessDeniedPage);
> >
> >return true;
> >}
> >
> >return handler.service(request, response);
> >}
> >};
> >
> >configuration.add("AssetProtectionFilter", filter , "before:*");
> > }
> >
> >
> >
> >> Sergey Didenko wrote:
> >>
> >>> BTW, it's worth to remind again everyone who is going to publish their
> >>> site urls, to close the access to ".class" and ".tml" files .
> >>>
> >>> On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti
> >>> wrote:
> >>>
> On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula
> Figueiredo wrote:
>
> Hi!
> >
> > I guess this was already discussed some time ago, but I couldn't find
> > it. :(
> > Anyway, it's been a long time, so let's get it started again. ;)
> >
> > Tapestry is a wonderful framework, but it isn't the best known one
> > around.
> > Sometimes, managers ask us to provide some projects/sites/success
> > stories/etc using it so they can be more confident about Tapestry.
> > There's a
> > Success Stories page in the wiki
> > (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had
> > any
> > edit
> > since 2007-10-05.
> >
> > What about sharing your success stories with us, promoting Tapestry
> > (specially T5)? If the project is a public website, please post the
> URL
> > here. I think we should have a list of Tapestry-powered sites.
> >
> > Thanks in advance.
> >
> It would be great to have that page more up to date but i remember
> Howard asking for "private" user stories and more then one have
> replied him even personally so i guess if that would make sense too to
> have that stories online.
> Do i remember correctly Howard?
>
> --
> Massimo
> http://meridio.blogspot.com
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Projects and sites powered by Tapestry
Pardon me if I am mistaken, but shouldn't .class and .tml files be under
WEB-INF and hence inaccessible automatically?
Benny
On Thu, Sep 10, 2009 at 2:52 AM, martijn.list wrote:
> Angelo Chen wrote:
>
>> how to close access to ".class" and ".tml"?
>>
>>
>
> This has been posted to the list multiple times so I another time wouldn't
> hurt ;)
>
>
> I use the following code to whitelist some assets. Access to non white
> listed assets is denied.
>
> Add to your application module:
>
>
> private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png",
> "gif", "js", "css", "ico"};
>
> /*
> * All the assets that are allowed to be downloaded using the assets
> service (including files without extension and dirs)
> */
> private static final Set assetsWhitelist =
> Collections.synchronizedSet(
>new HashSet(Arrays.asList(ASSET_WHITE_LIST)));
>
> public void
> contributeHttpServletRequestHandler(OrderedConfiguration
> configuration,
>@Inject @Value("${access-denied-page}") final String
> accessDeniedPage)
> {
>/*
> * Create a filter that will block access to some assets. The asset
> service allows access to some assets we do
> * not want to expose. The asset service will show all files in /assets/
> directory and allows you (by default)
> * to download some files which you do not want to expose.
> */
>HttpServletRequestFilter filter = new HttpServletRequestFilter()
>{
>public boolean service(HttpServletRequest request,
> HttpServletResponse response, HttpServletRequestHandler handler)
>throws IOException
>{
>String path = request.getServletPath();
>
>if (path.startsWith("/assets") && (!assetsWhitelist.contains(
>
> StringUtils.lowerCase(FilenameUtils.getExtension(path)
>{
>logger.warn("access to asset " + path + " denied");
>
>response.sendRedirect(request.getContextPath() + "/" +
> accessDeniedPage);
>
>return true;
>}
>
>return handler.service(request, response);
>}
>};
>
>configuration.add("AssetProtectionFilter", filter , "before:*");
> }
>
>
>
>> Sergey Didenko wrote:
>>
>>> BTW, it's worth to remind again everyone who is going to publish their
>>> site urls, to close the access to ".class" and ".tml" files .
>>>
>>> On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti
>>> wrote:
>>>
On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula
Figueiredo wrote:
Hi!
>
> I guess this was already discussed some time ago, but I couldn't find
> it. :(
> Anyway, it's been a long time, so let's get it started again. ;)
>
> Tapestry is a wonderful framework, but it isn't the best known one
> around.
> Sometimes, managers ask us to provide some projects/sites/success
> stories/etc using it so they can be more confident about Tapestry.
> There's a
> Success Stories page in the wiki
> (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had
> any
> edit
> since 2007-10-05.
>
> What about sharing your success stories with us, promoting Tapestry
> (specially T5)? If the project is a public website, please post the URL
> here. I think we should have a list of Tapestry-powered sites.
>
> Thanks in advance.
>
It would be great to have that page more up to date but i remember
Howard asking for "private" user stories and more then one have
replied him even personally so i guess if that would make sense too to
have that stories online.
Do i remember correctly Howard?
--
Massimo
http://meridio.blogspot.com
-
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
-
>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>>> For additional commands, e-mail: users-h...@tapestry.apache.org
>>>
>>>
>>>
>>>
>>
>
> --
> Djigzo open source email encryption
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: users-h...@tapestry.apache.org
>
>
Re: Projects and sites powered by Tapestry
Angelo Chen wrote:
how to close access to ".class" and ".tml"?
This has been posted to the list multiple times so I another time
wouldn't hurt ;)
I use the following code to whitelist some assets. Access to non white
listed assets is denied.
Add to your application module:
private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png",
"gif", "js", "css", "ico"};
/*
* All the assets that are allowed to be downloaded using the assets
service (including files without extension and dirs)
*/
private static final Set assetsWhitelist =
Collections.synchronizedSet(
new HashSet(Arrays.asList(ASSET_WHITE_LIST)));
public void
contributeHttpServletRequestHandler(OrderedConfiguration
configuration,
@Inject @Value("${access-denied-page}") final String
accessDeniedPage)
{
/*
* Create a filter that will block access to some assets. The asset
service allows access to some assets we do
* not want to expose. The asset service will show all files in
/assets/ directory and allows you (by default)
* to download some files which you do not want to expose.
*/
HttpServletRequestFilter filter = new HttpServletRequestFilter()
{
public boolean service(HttpServletRequest request,
HttpServletResponse response, HttpServletRequestHandler handler)
throws IOException
{
String path = request.getServletPath();
if (path.startsWith("/assets") && (!assetsWhitelist.contains(
StringUtils.lowerCase(FilenameUtils.getExtension(path)
{
logger.warn("access to asset " + path + " denied");
response.sendRedirect(request.getContextPath() + "/" +
accessDeniedPage);
return true;
}
return handler.service(request, response);
}
};
configuration.add("AssetProtectionFilter", filter , "before:*");
}
Sergey Didenko wrote:
BTW, it's worth to remind again everyone who is going to publish their
site urls, to close the access to ".class" and ".tml" files .
On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti
wrote:
On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula
Figueiredo wrote:
Hi!
I guess this was already discussed some time ago, but I couldn't find
it. :(
Anyway, it's been a long time, so let's get it started again. ;)
Tapestry is a wonderful framework, but it isn't the best known one
around.
Sometimes, managers ask us to provide some projects/sites/success
stories/etc using it so they can be more confident about Tapestry.
There's a
Success Stories page in the wiki
(http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had any
edit
since 2007-10-05.
What about sharing your success stories with us, promoting Tapestry
(specially T5)? If the project is a public website, please post the URL
here. I think we should have a list of Tapestry-powered sites.
Thanks in advance.
It would be great to have that page more up to date but i remember
Howard asking for "private" user stories and more then one have
replied him even personally so i guess if that would make sense too to
have that stories online.
Do i remember correctly Howard?
--
Massimo
http://meridio.blogspot.com
-
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
--
Djigzo open source email encryption
-
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Projects and sites powered by Tapestry
how to close access to ".class" and ".tml"? Sergey Didenko wrote: > > BTW, it's worth to remind again everyone who is going to publish their > site urls, to close the access to ".class" and ".tml" files . > > On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti > wrote: >> On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula >> Figueiredo wrote: >> >>> Hi! >>> >>> I guess this was already discussed some time ago, but I couldn't find >>> it. :( >>> Anyway, it's been a long time, so let's get it started again. ;) >>> >>> Tapestry is a wonderful framework, but it isn't the best known one >>> around. >>> Sometimes, managers ask us to provide some projects/sites/success >>> stories/etc using it so they can be more confident about Tapestry. >>> There's a >>> Success Stories page in the wiki >>> (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had any >>> edit >>> since 2007-10-05. >>> >>> What about sharing your success stories with us, promoting Tapestry >>> (specially T5)? If the project is a public website, please post the URL >>> here. I think we should have a list of Tapestry-powered sites. >>> >>> Thanks in advance. >> >> It would be great to have that page more up to date but i remember >> Howard asking for "private" user stories and more then one have >> replied him even personally so i guess if that would make sense too to >> have that stories online. >> Do i remember correctly Howard? >> >> -- >> Massimo >> http://meridio.blogspot.com >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> For additional commands, e-mail: users-h...@tapestry.apache.org >> >> > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > > -- View this message in context: http://www.nabble.com/Projects-and-sites-powered-by-Tapestry-tp25348447p25375291.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Projects and sites powered by Tapestry
BTW, it's worth to remind again everyone who is going to publish their site urls, to close the access to ".class" and ".tml" files . On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti wrote: > On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula > Figueiredo wrote: > >> Hi! >> >> I guess this was already discussed some time ago, but I couldn't find it. :( >> Anyway, it's been a long time, so let's get it started again. ;) >> >> Tapestry is a wonderful framework, but it isn't the best known one around. >> Sometimes, managers ask us to provide some projects/sites/success >> stories/etc using it so they can be more confident about Tapestry. There's a >> Success Stories page in the wiki >> (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had any edit >> since 2007-10-05. >> >> What about sharing your success stories with us, promoting Tapestry >> (specially T5)? If the project is a public website, please post the URL >> here. I think we should have a list of Tapestry-powered sites. >> >> Thanks in advance. > > It would be great to have that page more up to date but i remember > Howard asking for "private" user stories and more then one have > replied him even personally so i guess if that would make sense too to > have that stories online. > Do i remember correctly Howard? > > -- > Massimo > http://meridio.blogspot.com > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Projects and sites powered by Tapestry
On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula Figueiredo wrote: > Hi! > > I guess this was already discussed some time ago, but I couldn't find it. :( > Anyway, it's been a long time, so let's get it started again. ;) > > Tapestry is a wonderful framework, but it isn't the best known one around. > Sometimes, managers ask us to provide some projects/sites/success > stories/etc using it so they can be more confident about Tapestry. There's a > Success Stories page in the wiki > (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had any edit > since 2007-10-05. > > What about sharing your success stories with us, promoting Tapestry > (specially T5)? If the project is a public website, please post the URL > here. I think we should have a list of Tapestry-powered sites. > > Thanks in advance. It would be great to have that page more up to date but i remember Howard asking for "private" user stories and more then one have replied him even personally so i guess if that would make sense too to have that stories online. Do i remember correctly Howard? -- Massimo http://meridio.blogspot.com - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Projects and sites powered by Tapestry
Hi! I guess this was already discussed some time ago, but I couldn't find it. :( Anyway, it's been a long time, so let's get it started again. ;) Tapestry is a wonderful framework, but it isn't the best known one around. Sometimes, managers ask us to provide some projects/sites/success stories/etc using it so they can be more confident about Tapestry. There's a Success Stories page in the wiki (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had any edit since 2007-10-05. What about sharing your success stories with us, promoting Tapestry (specially T5)? If the project is a public website, please post the URL here. I think we should have a list of Tapestry-powered sites. Thanks in advance. -- Thiago H. de Paula Figueiredo Independent Java consultant, developer, and instructor http://www.arsmachina.com.br/thiago - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
