Author: buildbot
Date: Tue Jan 21 20:20:49 2014
New Revision: 895005
Log:
Production update by buildbot for tapestry
Modified:
websites/production/tapestry/content/assets.html
websites/production/tapestry/content/cache/main.pageCache
websites/production/tapestry/content/security-faq.html
Modified: websites/production/tapestry/content/assets.html
==
--- websites/production/tapestry/content/assets.html (original)
+++ websites/production/tapestry/content/assets.html Tue Jan 21 20:20:49 2014
@@ -95,7 +95,7 @@
Page:
-Configuration
+Layout Component
@@ -104,7 +104,7 @@
Page:
-Layout Component
+JavaScript
@@ -113,7 +113,7 @@
Page:
-JavaScript
+CSS
@@ -122,7 +122,7 @@
Page:
-CSS
+Configuration
@@ -160,91 +160,7 @@ private Asset style;
The use of the ${...} syntax here
is a symbol expansion (because it occurs in an annotation in Java
code), rather than a template expansion (which occurs only in Tapestry
template files).
-An override of the skin.root symbol would affect all references to the
named asset.Localization of
AssetsMain Article: LocalizationAssets are localized; Tapestry
will search for a variation of the file appropriate to the effective locale for
the request. In the previous example, a German user of the application may see
a file named edit_de.png (if such a file exists).New Asset DomainsIf you wish to create new
domains for assets, for example to allow assets to be stored on the file system
or in a database, you may define a new http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/services/AssetFactory.html";>AssetFactory
and contribute it to the http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/services/AssetSour
ce.html">AssetSource service configuration.Asset URLsTapestry creates a new URL for assets
(whether context or classpath). The URL is of the form
/assets/version/folder/path.version:
Application version number, defined by the
tapestry.application-version symbol in your application module
(normally AppModule.java). The default is a random hex
number.folder: Identifies the library containing the
asset, or "ctx" for a context asset, or "stack" (used when combining multiple
JavaScript files into a single virtual asset).path:
The path below the root package of the library to the specific asset
file.Performance NotesAssets
are expected to be entirely static (not changing while the application is
deployed). This allows Tapestry to perform some important pe
rformance optimizations.Tapestry GZIP compresses the content of all
assets – if the asset is compressible, the client supports it, and you
don't explicitly
disable it.When Tapestry generates a URL for an asset, either on
the classpath or from the context, the URL includes the application version
number. Further, the asset will get a far future expires header, which
will encourage the client browser to cache the asset.You should have an
explicit application version number for any production application. Client
browsers will aggressively cache downloaded assets; they will usually not even
send a request to see if the asset has changed once the asset is downloaded the
first time. Because of this it is very important that each new
deployment of your application has a new version number, to force existing clients to re-download all
assets.Asset SecurityBecause Tapestry
directly exposes files on the classpath to the clients, some thought has gone
into ensuring that malicious clients are not able to download assets that
should not be visible to them.First off all, there's a package
limitation: classpath assets are only visible if there's a http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/services/LibraryMapping.html";>LibraryMapping
for them, and the library mapping substitutes for the initial folders on the
classpath. Since the most secure assets, things like
hibernate.cfg.xml are located in the unnamed package, they are
always off limits.But what about other files on the classpath? Imagine
this scenario:Your Login page exposes a classpath asset,
icon.png.A malicious client copies
the URL, /assets/1.0.0/app/pages/icon.png,