[CONF] Apache Tapestry Security
Bob Harner edited the page:
Security
Comment: Reorganized the Security Framework Integration section
...
Tapestry provides several annotations and configuration settings that you can use toensure that all access to certain pages (or all pages) occurs only via the encrypted HTTPS protocol. SeeHTTPS for details.
Controlling Page Access
Wiki Markup
{float:right|background="" 1em}
*JumpStart Demo:*
[Protecting Pages|http://jumpstart.doublenegative.com.au/jumpstart/examples/infrastructure/protectingpages]
{float}
...
Security Framework Integration
Tapestry does not come with a built-in lock you into a specific authentication/authorization mechanism, to avoid lock-in to a specific implementation. There are various Java security frameworks available, but the main two Java-based open source security frameworks are Apache Shiro (earlier Instead, there are integration modules available for the more popular open source Java security frameworks, namely Apache Shiro (formerly JSecurity) and Spring Security (earlier formerly Acegi Security). Spring Security is the more popular of the two (because of Spring's popularity), whereas Shiro is widely regarded as the more flexible choice. There are well-maintained Tapestry integration projects for both of these frameworks,
Thetapestry-security
...
module (from Tynamo.org)
...
uses Apache Shiro
Thetapestry-spring-security
...
module uses Spring Security.
For tapestry-security (Shiro-based)Additional information:
Tynamo-federatedaccounts Facebook etc. 3rd party authentication provider integrations, building on Tapestry-security
For tapestry-spring-security
[CONF] Apache Tapestry Security FAQ
Bob Harner removed a comment from the page: Security FAQ Added security label Stop watching space Manage Notifications This message was sent by Atlassian Confluence 5.0.3, Team Collaboration Software
[CONF] Apache Tapestry Security FAQ
Bob Harner edited the page:
Security FAQ
Comment: Added Related Articles box
Wiki Markup
{scrollbar}
Security FAQ
Wiki Markup
{float:right|background=""
{contentbylabel:title=Related Articles|showLabels=false|showSpace=false|space=@self|labels=security}
{float}
The built-in PageCatalog and ServiceStatus pages are visible in my production application and I don't want them to be, what can I do?
...
Sometimes, in production, a firewall or proxy may make it look like the client web browser originates from localhost; in that situation, you may want to disable the logic that puts localhost onto the whitelist. This determination is made by the contributions to the ClientWhitelist service. Tapestry makes a contribution with id LocalhostOnly, which one of your modules can override:
Code Block
@Contribute(ClientWhitelist.class)
public static void turnOffLocalhostInProduction(OrderedConfigurationWhitelistAnalyzer configuration,
@Symbol(SymbolConstants.PRODUCTION_MODE) boolean productionMode) {
if (productionMode) { configuration.override(LocalhostOnly, null); }
}
...
View Online Like View Changes
[CONF] Apache Tapestry Security
Bob Harner edited the page:
Security
Comment: Added lots more information about Tapestry security features
Tapestry has a number of security features designed to harden your application against unwanted intrusion and denial of service.
Wiki Markup
{float:right|background=""
{contentbylabel:title=Related Articles|showLabels=false|showSpace=false|space=@self|labels=spring,security}
{float}
HTTPS-only Pages
Main Article: HTTPS
Tapestry provides several annotations and configuration settings that you can use toensure that all access to certain pages–or all pages–occurs only via the encrypted HTTPS protocol. SeeHTTPS for details.
Controlling Page Access
Wiki Markup
{float:right|background="" 1em}
*JumpStart Demo:*
[Protecting Pages|http://jumpstart.doublenegative.com.au/jumpstart/examples/infrastructure/protectingpages]
{float}
For simple access control needs, you can contribute aComponentRequestFilter with your custom logic that decides which pages should be accessed by which users.
For more advanced needs see the Security Framework Integration section below.
White-listed Pages
Pages whose component classes are annotated with@WhitelistAccessOnlywill only be displayed to users (clients) that are on thewhitelist. By default the whitelist consists only of clients whose fully-qualified domain name is localhost (or the IP address equivalent, 127.0.0.1 or 0:0:0:0:0:0:0:1),but you can customize this by contributing to the ClientWhitelist servicein your application's module class (usually AppModule.java):
Code Block
[CONF] Apache Tapestry Security FAQ
Bob Harner added a comment to the page: Security FAQ Added security label View Online Like Stop watching space Manage Notifications This message was sent by Atlassian Confluence 5.0.3, Team Collaboration Software
[CONF] Apache Tapestry Security FAQ
Security FAQ
Page added by Howard M. Lewis Ship
Frequently Asked Questions
Security FAQ
The built-in PageCatalog and ServiceStatus pages are visible in my production application and I don't want them to be, what can I do?
First off all, don't panic: these pages are marked with the @WhitelistAccessOnly annotation, which makes them invisible to clients that are not on the whitelist. Try accessing the page from a different workstation and you may find that the pages are not visible after all.
Sometimes, in production, a firewall or proxy may make it look like the client web browser originates from localhost; in that situation, you may want to disable the logic that puts localhost onto the whitelist. This determination is made by the contributions to the ClientWhitelist service. Tapestry makes a contribution with id "LocalhostOnly", which one of your modules can override:
@Contribute(ClientWhitelist.class)
public static void turnOffLocalhostInProduction(OrderedConfigurationWhitelistAnalyzer configuration, @Symbol(SymbolConstants.PRODUCTION_MODE) boolean productionMode) {
if (productionMode) { configuration.override("LocalhostOnly", null); }
}
Frequently Asked Questions
Change Notification Preferences
View Online
[CONF] Apache Tapestry Security
Security
Page edited by Kalle Korhonen
Changes (6)
Tapestry does not bundle integration with *Spring Security*. However, there is a 3rd-party module that you can use for Tapestry 5 or later:
Tapestry does not come with a built-in security implementation to avoid lock-in to a specific security framework. There are various Java security frameworks available, but the main two Java-based open source security frameworks are Apache Shiro (earlier JSecurity) and Spring Security (earlier Acegi Security). Spring Security is the more popular of the two (because of Springs popularity), whereas Shiro is widely regarded as the more flexible choice. There are well-maintained Tapestry integration projects for both of these frameworks, *[tapestry-security|http://tynamo.org/tapestry-security+guide]* for Apache Shiro (from Tynamo.org) and *[tapestry-spring-security|http://www.localhost.nu/java/tapestry-spring-security]* for Spring Security.
{float:right|background=""
...
{float}
* [http://www.localhost.nu/java/tapestry-spring-security/conf.html]
** For tapestry-security (Shiro-based)
* [Tynamo-federatedaccounts|http://tynamo.org/tynamo-federatedaccounts+guide] Facebook etc. 3rd party authentication provider integrations, building on Tapestry-security * For tapestry-spring-security ** [http://www.localhost.nu/java/tapestry-spring-security/conf.html]
To include OpenID with Spring Security in your application, see the following Wiki entry:
* ** [http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId]
Full Content
Tapestry does not come with a built-in security implementation to avoid lock-in to a specific security framework. There are various Java security frameworks available, but the main two Java-based open source security frameworks are Apache Shiro (earlier JSecurity) and Spring Security (earlier Acegi Security). Spring Security is the more popular of the two (because of Spring's popularity), whereas Shiro is widely regarded as the more flexible choice. There are well-maintained Tapestry integration projects for both of these frameworks, tapestry-security for Apache Shiro (from Tynamo.org) and tapestry-spring-security for Spring Security.
Related Articles
Page:
Security
Page:
Integrating with Spring Framework
For tapestry-security (Shiro-based)
Tynamo-federatedaccounts Facebook etc. 3rd party authentication provider integrations, building on Tapestry-security
For tapestry-spring-security
http://www.localhost.nu/java/tapestry-spring-security/conf.html
To include OpenID with Spring Security in your application, see the following Wiki entry:
http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId
Change Notification Preferences
View Online
|
View Changes
[CONF] Apache Tapestry Security
Security
Page edited by Kalle Korhonen
Changes (2)
...
{float}
** * For tapestry-security (Shiro-based)
* ** [Tynamo-federatedaccounts|http://tynamo.org/tynamo-federatedaccounts+guide] Facebook etc. 3rd party authentication provider integrations, building on Tapestry-security
* For tapestry-spring-security
...
Full Content
Tapestry does not come with a built-in security implementation to avoid lock-in to a specific security framework. There are various Java security frameworks available, but the main two Java-based open source security frameworks are Apache Shiro (earlier JSecurity) and Spring Security (earlier Acegi Security). Spring Security is the more popular of the two (because of Spring's popularity), whereas Shiro is widely regarded as the more flexible choice. There are well-maintained Tapestry integration projects for both of these frameworks, tapestry-security for Apache Shiro (from Tynamo.org) and tapestry-spring-security for Spring Security.
Related Articles
Page:
Integrating with Spring Framework
Page:
Security
For tapestry-security (Shiro-based)
Tynamo-federatedaccounts Facebook etc. 3rd party authentication provider integrations, building on Tapestry-security
For tapestry-spring-security
http://www.localhost.nu/java/tapestry-spring-security/conf.html
To include OpenID with Spring Security in your application, see the following Wiki entry:
http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId
Change Notification Preferences
View Online
|
View Changes
[CONF] Apache Tapestry Security
Security Page edited by Kalle Korhonen Changes (3) ... * For tapestry-security (Shiro-based) ** * [Tynamo-federatedaccounts|http://tynamo.org/tynamo-federatedaccounts+guide] Facebook etc. 3rd party authentication provider integrations, building on Tapestry-security * For tapestry-spring-security ** * [http://www.localhost.nu/java/tapestry-spring-security/conf.html] To include OpenID with Spring Security in your application, see the following Wiki entry: ** * [http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId] Full Content Tapestry does not come with a built-in security implementation to avoid lock-in to a specific security framework. There are various Java security frameworks available, but the main two Java-based open source security frameworks are Apache Shiro (earlier JSecurity) and Spring Security (earlier Acegi Security). Spring Security is the more popular of the two (because of Spring's popularity), whereas Shiro is widely regarded as the more flexible choice. There are well-maintained Tapestry integration projects for both of these frameworks, tapestry-security for Apache Shiro (from Tynamo.org) and tapestry-spring-security for Spring Security. Related Articles Page: Integrating with Spring Framework Page: Security For tapestry-security (Shiro-based) Tynamo-federatedaccounts Facebook etc. 3rd party authentication provider integrations, building on Tapestry-security For tapestry-spring-security http://www.localhost.nu/java/tapestry-spring-security/conf.html To include OpenID with Spring Security in your application, see the following Wiki entry: http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId Change Notification Preferences View Online | View Changes
[CONF] Apache Tapestry Security
Security Page moved by Kalle Korhonen From: Apache Tapestry Integrating with Spring Framework To: Apache Tapestry User Guide Children moved Change Notification Preferences View Online
[CONF] Apache Tapestry Security
Security Page edited by Kalle Korhonen Changes (3) ... * For tapestry-security (Shiro-based) * ** [Tynamo-federatedaccounts|http://tynamo.org/tynamo-federatedaccounts+guide] Facebook etc. 3rd party authentication provider integrations, building on Tapestry-security * For tapestry-spring-security * ** [http://www.localhost.nu/java/tapestry-spring-security/conf.html] To include OpenID with Spring Security in your application, see the following Wiki entry: * ** [http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId] Full Content Tapestry does not come with a built-in security implementation to avoid lock-in to a specific security framework. There are various Java security frameworks available, but the main two Java-based open source security frameworks are Apache Shiro (earlier JSecurity) and Spring Security (earlier Acegi Security). Spring Security is the more popular of the two (because of Spring's popularity), whereas Shiro is widely regarded as the more flexible choice. There are well-maintained Tapestry integration projects for both of these frameworks, tapestry-security for Apache Shiro (from Tynamo.org) and tapestry-spring-security for Spring Security. Related Articles Page: Integrating with Spring Framework Page: Security For tapestry-security (Shiro-based) Tynamo-federatedaccounts Facebook etc. 3rd party authentication provider integrations, building on Tapestry-security For tapestry-spring-security http://www.localhost.nu/java/tapestry-spring-security/conf.html To include OpenID with Spring Security in your application, see the following Wiki entry: http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId Change Notification Preferences View Online | View Changes
[CONF] Apache Tapestry Security
Security
Page edited by Kalle Korhonen
Changes (5)
...
{float}
* For tapestry-security (Shiro-based)
** * [Tynamo-federatedaccounts|http://tynamo.org/tynamo-federatedaccounts+guide] Facebook etc. 3rd party authentication provider integrations, building on Tapestry-security
* For tapestry-spring-security
** * [http://www.localhost.nu/java/tapestry-spring-security/conf.html]
To include OpenID with Spring Security in your application, see the following Wiki entry:
** * [http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId]
Full Content
Tapestry does not come with a built-in security implementation to avoid lock-in to a specific security framework. There are various Java security frameworks available, but the main two Java-based open source security frameworks are Apache Shiro (earlier JSecurity) and Spring Security (earlier Acegi Security). Spring Security is the more popular of the two (because of Spring's popularity), whereas Shiro is widely regarded as the more flexible choice. There are well-maintained Tapestry integration projects for both of these frameworks, tapestry-security for Apache Shiro (from Tynamo.org) and tapestry-spring-security for Spring Security.
Related Articles
Page:
Integrating with Spring Framework
Page:
Security
For tapestry-security (Shiro-based)
Tynamo-federatedaccounts Facebook etc. 3rd party authentication provider integrations, building on Tapestry-security
For tapestry-spring-security
http://www.localhost.nu/java/tapestry-spring-security/conf.html
To include OpenID with Spring Security in your application, see the following Wiki entry:
http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId
Change Notification Preferences
View Online
|
View Changes
