[jira] Commented: (TAP5-633) Allow page classes to have a Page suffix that is not included in the URL
[ https://issues.apache.org/jira/browse/TAP5-633?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12774946#action_12774946 ] Paul Field commented on TAP5-633: - Thanks for the URL rewriting idea - I've tried it out quickly but I wasn't keen that I still had to use the Page postfix in the .tml files (e.g. when creating a link to the page) - I think that would be confusing. I also had a quick go at advising ComponentClassResolver, but I realised that when Tapestry reports the list of known components (on startup and on exception pages) it would still list the paths including the Page postfix - which, again, I think would be confusing. Allow page classes to have a Page suffix that is not included in the URL -- Key: TAP5-633 URL: https://issues.apache.org/jira/browse/TAP5-633 Project: Tapestry 5 Issue Type: Improvement Components: tapestry-core Affects Versions: 5.1.0.2 Reporter: Paul Field Priority: Minor I have an application with a lot of read-only pages. For example, I have a page that shows a company and I would like a URI such as: /company/1234 However, if I name the page class Company then I get a naming clash with the domain object Company. What I would like to do is call the Tapestry 5 class CompanyPage - after all, that is what the class represents and it's certainly how the team refers to that thing internally and with our business (i.e. Have you seen the new company page?). So, please could the ComponentClassResolverImpl remove the suffix Page (if it exists) from the class name when it constructs the logical page name? -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
svn commit: r834151 - in /tapestry/tapestry5/trunk: src/site/apt/guide/ tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ tapestry-core/src/main/java/org/apache/tapestry5/services/ t
Author: robertdzeigler
Date: Mon Nov 9 17:23:10 2009
New Revision: 834151
URL: http://svn.apache.org/viewvc?rev=834151view=rev
Log:
TAP5-815: Asset dispatcher allows any file inside the webapp visible and
downloadable (5.2 branch)
Added:
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java
Modified:
tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
Modified: tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt?rev=834151r1=834150r2=834151view=diff
==
--- tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt (original)
+++ tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt Mon Nov 9 17:23:10
2009
@@ -138,6 +138,31 @@
In addition, context assets will use the URL prefix
/assets/ctx/app-version/.
+Securing Assets
+
+ Securing assets is an important consideration for any web application. Many
assets, such as hibernate configuration
+ files, sit in the classpath and are exposable via the Asset service, which
is not desirable. To protect these and
+ other sensitive assets, Tapestry provides the AssetProtectionDispatcher.
This dispatcher sits in front of the
+ AssetDispatcher, the service responsible for streaming assets to the client,
and watches for Asset requests.
+ When an asset request comes in, the protection dispatcher checks for
authorization to view the file against a
+ contributed list of AssetPathAuthorizer implementations. Determination of
whether the client can view the requested
+ resource is then made based on whether any of the contributed
AssetPathAuthorizer implementations explicitly allowed
+ or denied access to the resource.
+
+ Tapestry provides two AssetPathAuthorizer implemenations out of the box to
which users may contribute: RegexAuthorizer
+ and WhitelistAuthorizer. RegexAuthorizer uses regular expressions to
determine assets which are viewable by the
+ client; any assets that match one of its (contributed) regular expressions
are authorized. Anything not matched is
+ passed through to the WhitelistAuthorizer. WhitelistAuthorizer uses an
exact-matching whitelist. Anything matching
+ exactly one its contributions is allowed; all other asset requests are
denied. The default tapestry configuration
+ contributes nothing to WhitelistAuthorizer (access will be denied to all
asset requests passed through to it), and
+ explicitly allows access to css, jpg, jpeg, js, png, and gif files
associated with tapestry (tapestry.js, blackbird
+ files, date picker files, etc.). The default contribution also enables
access to the css, jpg, jpeg, js, png, and gif
+ files provided by the popular chenille-kit 3rd party library. The default
configuration denies access to all other
+ assets. To enable access to your application's assets, either contribute a
custom AssetPathAnalyzer, or contribute
+ appropriate regular expression or exact path contributions to
RegexAuthorizer or WhitelistAuthorizer, respectively.
+ See TapestryModule.contribteRegexAuthorizer for examples.
+
+
Performance Notes
Assets are expected to be entirely static (not changing while the
application is deployed). When Tapestry generates a URL
@@ -146,4 +171,4 @@
asset.
In addition, Tapestry will {{{compress.html}GZIP compress}} the content of
all assets (if the asset
- is compressable, and the client supports it).
\ No newline at end of file
+ is compressable, and the client supports it).
Added:
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java?rev=834151view=auto
svn commit: r834167 - in /tapestry/tapestry5/branches/5.1.0.x-dev: src/site/apt/guide/ tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ tapestry-core/src/main/java/org/apache/tapest
Author: robertdzeigler
Date: Mon Nov 9 18:26:48 2009
New Revision: 834167
URL: http://svn.apache.org/viewvc?rev=834167view=rev
Log:
TAP5-815: Asset dispatcher allows any file inside the webapp visible and
downloadable (5.1 branch)
Added:
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java
Modified:
tapestry/tapestry5/branches/5.1.0.x-dev/src/site/apt/guide/assets.apt
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
Modified: tapestry/tapestry5/branches/5.1.0.x-dev/src/site/apt/guide/assets.apt
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/src/site/apt/guide/assets.apt?rev=834167r1=834166r2=834167view=diff
==
--- tapestry/tapestry5/branches/5.1.0.x-dev/src/site/apt/guide/assets.apt
(original)
+++ tapestry/tapestry5/branches/5.1.0.x-dev/src/site/apt/guide/assets.apt Mon
Nov 9 18:26:48 2009
@@ -138,6 +138,31 @@
In addition, context assets will use the URL prefix
/assets/ctx/app-version/.
+Securing Assets
+
+ Securing assets is an important consideration for any web application. Many
assets, such as hibernate configuration
+ files, sit in the classpath and are exposable via the Asset service, which
is not desirable. To protect these and
+ other sensitive assets, Tapestry provides the AssetProtectionDispatcher.
This dispatcher sits in front of the
+ AssetDispatcher, the service responsible for streaming assets to the client,
and watches for Asset requests.
+ When an asset request comes in, the protection dispatcher checks for
authorization to view the file against a
+ contributed list of AssetPathAuthorizer implementations. Determination of
whether the client can view the requested
+ resource is then made based on whether any of the contributed
AssetPathAuthorizer implementations explicitly allowed
+ or denied access to the resource.
+
+ Tapestry provides two AssetPathAuthorizer implemenations out of the box to
which users may contribute: RegexAuthorizer
+ and WhitelistAuthorizer. RegexAuthorizer uses regular expressions to
determine assets which are viewable by the
+ client; any assets that match one of its (contributed) regular expressions
are authorized. Anything not matched is
+ passed through to the WhitelistAuthorizer. WhitelistAuthorizer uses an
exact-matching whitelist. Anything matching
+ exactly one its contributions is allowed; all other asset requests are
denied. The default tapestry configuration
+ contributes nothing to WhitelistAuthorizer (access will be denied to all
asset requests passed through to it), and
+ explicitly allows access to css, jpg, jpeg, js, png, and gif files
associated with tapestry (tapestry.js, blackbird
+ files, date picker files, etc.). The default contribution also enables
access to the css, jpg, jpeg, js, png, and gif
+ files provided by the popular chenille-kit 3rd party library. The default
configuration denies access to all other
+ assets. To enable access to your application's assets, either contribute a
custom AssetPathAnalyzer, or contribute
+ appropriate regular expression or exact path contributions to
RegexAuthorizer or WhitelistAuthorizer, respectively.
+ See TapestryModule.contribteRegexAuthorizer for examples.
+
+
Performance Notes
Assets are expected to be entirely static (not changing while the
application is deployed). When Tapestry generates a URL
@@ -146,4 +171,4 @@
asset.
In addition, Tapestry will {{{compress.html}GZIP compress}} the content of
all assets (if the asset
- is compressable, and the client supports it).
\ No newline at end of file
+ is compressable, and the client supports it).
Added:
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
URL:
svn commit: r834180 - in /tapestry/tapestry5/branches/5.0: src/site/apt/guide/ tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ tapestry-core/src/main/java/org/apache/tapestry5/serv
Author: robertdzeigler Date: Mon Nov 9 19:28:32 2009 New Revision: 834180 URL: http://svn.apache.org/viewvc?rev=834180view=rev Log: TAP5-815: Asset dispatcher allows any file inside the webapp visible and downloadable (5.0 branch) Added: tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java Modified: tapestry/tapestry5/branches/5.0/src/site/apt/guide/assets.apt tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java Modified: tapestry/tapestry5/branches/5.0/src/site/apt/guide/assets.apt URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/src/site/apt/guide/assets.apt?rev=834180r1=834179r2=834180view=diff == --- tapestry/tapestry5/branches/5.0/src/site/apt/guide/assets.apt (original) +++ tapestry/tapestry5/branches/5.0/src/site/apt/guide/assets.apt Mon Nov 9 19:28:32 2009 @@ -98,4 +98,28 @@ Care should be taken to not create overlapping mappings, as the results would not be predictable. - \ No newline at end of file +Securing Assets + + Securing assets is an important consideration for any web application. Many assets, such as hibernate configuration + files, sit in the classpath and are exposable via the Asset service, which is not desirable. To protect these and + other sensitive assets, Tapestry provides the AssetProtectionDispatcher. This dispatcher sits in front of the + AssetDispatcher, the service responsible for streaming assets to the client, and watches for Asset requests. + When an asset request comes in, the protection dispatcher checks for authorization to view the file against a + contributed list of AssetPathAuthorizer implementations. Determination of whether the client can view the requested + resource is then made based on whether any of the contributed AssetPathAuthorizer implementations explicitly allowed + or denied access to the resource. + + Tapestry provides two AssetPathAuthorizer implemenations out of the box to which users may contribute: RegexAuthorizer + and WhitelistAuthorizer. RegexAuthorizer uses regular expressions to determine assets which are viewable by the + client; any assets that match one of its (contributed) regular expressions are authorized. Anything not matched is + passed through to the WhitelistAuthorizer. WhitelistAuthorizer uses an exact-matching whitelist. Anything matching + exactly one its contributions is allowed; all other asset requests are denied. The default tapestry configuration + contributes nothing to WhitelistAuthorizer (access will be denied to all asset requests passed through to it), and + explicitly allows access to css, jpg, jpeg, js, png, and gif files associated with tapestry (tapestry.js, blackbird + files, date picker files, etc.). The default contribution also enables access to the css, jpg, jpeg, js, png, and gif + files provided by the popular chenille-kit 3rd party library. The default configuration denies access to all other + assets. To enable access to your application's assets, either contribute a custom AssetPathAnalyzer, or contribute + appropriate regular expression or exact path contributions to RegexAuthorizer or WhitelistAuthorizer, respectively. + See TapestryModule.contribteRegexAuthorizer for examples. + + Added: tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java?rev=834180view=auto == --- tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java (added) +++
[jira] Commented: (TAP5-815) Asset dispatcher allows any file inside the webapp visible and downloadable
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12775085#action_12775085 ] Robert Zeigler commented on TAP5-815: - Hey Chris, I just committed the AssetProtectionDispatcher stuff (to 5.0 and 5.1 branches and to trunk). That should solve your issue, but if you want to double check that, it would be great. Leaving this issue open for the time being to give people a chance to review. I'll close it tonight or tomorrow if I don't hear anything more. Asset dispatcher allows any file inside the webapp visible and downloadable --- Key: TAP5-815 URL: https://issues.apache.org/jira/browse/TAP5-815 Project: Tapestry 5 Issue Type: Bug Affects Versions: 5.1.0.5 Reporter: Thiago H. de Paula Figueiredo Assignee: Robert Zeigler Priority: Blocker Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Created: (TAP5-922) Allow null in LinkImpl.addParameter
Allow null in LinkImpl.addParameter --- Key: TAP5-922 URL: https://issues.apache.org/jira/browse/TAP5-922 Project: Tapestry 5 Issue Type: Bug Components: tapestry-core Affects Versions: 5.1.0.5 Reporter: Angelo Chen Priority: Minor I have a query string that I need to append to a Link object, the query string is: ?gender=Mcountry= Link lnk = renderLinkSource.createPageRenderLink(SamplePage); lnk.addParameter(gender, M); // this works lnk.addParameter(country, null); above line failed with : RequestExceptionHandler Unexpected runtime exception: Parameter value was null or contained only whitespace. A null parameter should be valid in a URL, sometimes it is needed to have Google Analytics pick up the complete URL even it is null. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
