T5: Advanced message configuration
Hi!
My application stores localized messages in the database. It's a big
application, and each customer wants a lot of customization. So for every
framework we use, we need to plug into the message system to get what we
want. Every call to messages.get('validation-error-required') needs a
parameter for languageId/locale and customerId. And it must be retrieved
from the database, not from a resources file.
For Struts, I replaced the entire Struts message system with my own custom
tag.
For T4, I contributed my own service in hivemodule.xml. The entire
implementation is listed below if someone should find this
interesting/useful. I injected the servlet request, where user/customer info
is stored in the session, into my service, and did the DB-calls from there.
In T5, I'm looking for a similar solution. So far I have found the following
interesting places in TapestryModule, does anyone feel like pointing me in
the right direction?
public ComponentMessagesSource buildComponentMessagesSource
public void contributeValidationMessagesSource(Configuration
configuration)
public ValidationMessagesSource buildValidationMessagesSource
T4 custom messages implemtation:
Used to provide components (including pages) with access to
their own localized messages.
public class ComponentMessagesSourceImpl implements ComponentMessagesSource
{
static Log log = LogFactory.getLog(ComponentMessagesSourceImpl.class);
private HttpServletRequest request;
public void setRequest(HttpServletRequest request) {
this.request = request;
}
public Messages getMessages(IComponent component) {
return new MessagesTapestryWrapper(request);
}
}
public class MessagesTapestryWrapper implements org.apache.hivemind.Messages
{
static Log log = LogFactory.getLog(MessagesTapestryWrapper.class);
private HttpServletRequest request;
public MessagesTapestryWrapper(HttpServletRequest request) {
this.request = request;
}
public String format(String key, Object arg0) {
Object[] args = { arg0 };
return format(key, args);
}
public String format(String key, Object arg0, Object arg1) {
Object[] args = { arg0, arg1 };
return format(key, args);
}
public String format(String key, Object[] args) {
return Lang.get(request, key, args);
}
public String format(String key, Object arg0, Object arg1, Object arg2) {
Object[] args = { arg0, arg1, arg2 };
return format(key, args);
}
public String getMessage(String key) {
String message = Lang.get(request, key);
return message;
}
}
Re: Tapestry 4.1 app
Hi Paul, I've tried it and found that the button label was not changed to "save" when you edit a transaction (ok, so poor remark for such a work, sorry) :-) I have used tapestry 4.1.2 for a while and one of the main requirements was to have a sortable grid where you could also select which row to delete within the table. In your transaction list page, is it a big issue ? May I know what did you use for security layer ? acegi, servlet-filter ? Loïc 2008/8/7 Paul Stanton <[EMAIL PROTECTED]> > http://www.gunnsoft.com.au:8080/Budget/ > > I've been working on this for a while, and feel it's nearing stability. > Feel free to have a play around. It's free. > > Paul. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
Re: T5: How to protect against 'Cross-site request forgery'?
Thank you! This is something I can use and extend. - 99 Martijn Brinkers (List)-2 wrote: > > I have added a howto > > http://wiki.apache.org/tapestry/Tapestry5CSRF > > Martijn > > On Wed, 2008-08-06 at 00:13 -0700, 9902468 wrote: >> Hi, >> >> CSRF solution could be the base for the solution to my problem, described >> here: >> >> http://www.nabble.com/T5-double-click---multiple-windows-on-same-session-prevention-to18807447.html >> >> Could you post the code? I think that I need only to customize it so that >> it >> changes the sid to every response and accepts only request with the >> latest >> one. >> >> I'm also interested of the mixin(s) code. (Or the custom action link / >> form >> implementation if that approach was chosen.) >> >> - 99 >> >> >> Martijn Brinkers (List)-2 wrote: >> > >> >> Also, the internal LinkFactory service has listeners that know when an >> >> action link is created; it might be possible to automatically add a >> >> query parameter to every link with authentication, and then provided >> >> filters in the ComponentEventRequestHandler pipeline to enforce the >> >> check. >> > >> > I finally had time to implement the 'Cross-site request forgery' filter >> > in the way suggested by Howard and it was really simple and >> > straightforward (which shows me again why I think Tapestry is extremely >> > well built). All action links now contain a sid (random generated for >> > each user) and the sid is checked using a ComponentEventRequestFilter. >> > The only possible problem (which was not a problem for me though) could >> > be that the action links now contain an extra parameter >> > (example: ?sid=enn50tk96) which wasn't there before the filter was >> > added. This can interfere with existing code. I was wondering whether >> it >> > would be possible to remove the sid attribute after checking the sid so >> > the rest of the application has no knowlegde of the sid? >> > >> > Martijn >> > >> > >> > On Mon, 2008-07-28 at 12:27 -0700, Howard Lewis Ship wrote: >> >> I wonder if this could be created as a Mixin? >> >> >> >> Also, the internal LinkFactory service has listeners that know when an >> >> action link is created; it might be possible to automatically add a >> >> query parameter to every link with authentication, and then provided >> >> filters in the ComponentEventRequestHandler pipeline to enforce the >> >> check. >> >> >> >> On Mon, Jul 28, 2008 at 12:24 PM, Martijn Brinkers (List) >> >> <[EMAIL PROTECTED]> wrote: >> >> > Hi Christian, >> >> > >> >> > Do you have some example code of you Form extension? >> >> > >> >> > Thanks, >> >> > >> >> > Martijn >> >> > >> >> > On Mon, 2008-07-28 at 15:18 -0400, Christian Edward Gruber wrote: >> >> >> A good way would be to alter the Form object to contain (via a >> hidden >> >> >> variable) a field that's generated per the whitepaper linked from >> that >> >> >> wikipedia article. The form would then consume the post, and if >> that >> >> >> field is not in the expected state, generate an error state, which >> >> >> could then be redirected to a security page or some such. We >> solved >> >> >> it this way, though without changing the T5 form object - we used a >> >> >> custom form object. >> >> >> >> >> >> A friend of mine wrote the linked whitepaper, so if someone's >> trying >> >> >> to put the fix into the Tapestry framework infrastructure, then let >> me >> >> >> know and I'll connect you by e-mail. It's a good read anyway, as >> it's >> >> >> a bit of a subtle problem. >> >> >> >> >> >> Christian. >> >> >> >> >> >> On 28-Jul-08, at 14:50 , Martijn Brinkers (List) wrote: >> >> >> >> >> >> > Cross-site request forgeries (CSRF) is a web application >> >> vulnerability >> >> >> > that is often neglected by web developers. If your application is >> >> >> > vulnerable to CSRF and an attacker can entice you to request some >> >> URL >> >> >> > (this can be done for example with an image with the src set to >> some >> >> >> > Tapestry action) the attacker can execute random Tapestry actions >> >> and >> >> >> > post forms (like adding a adminitrator etc.) without the users >> >> >> > consent. >> >> >> > For more info on CSRF see for example: >> >> >> > http://en.wikipedia.org/wiki/Cross-site_request_forgery. >> >> >> > One way to protect against CSRF is to add a non-guessable code >> >> >> > (saved in >> >> >> > the user session) to the URLs that need to be protected against >> CSRF >> >> >> > or >> >> >> > add a hidden field to a Form with this unique code. When Tapestry >> >> >> > recieved a request (for a page or action) and that page/action >> need >> >> >> > protection a check is done to see if the code from the URL >> matches >> >> the >> >> >> > code stored in the user session. If not you know that the request >> >> did >> >> >> > not generated by tapestry. >> >> >> > >> >> >> > My question is what is the best way to implement this? Should I >> add >> >> >> > the >> >> >> > code as a context parameter and fo
Re: T5: How to protect against 'Cross-site request forgery'?
I read the document and it is good. I wasn't referring to non-cryptographic tokens, just to the fact that the whole token doesn't have to be generated every request, just the request unique part. Imagine what ever token that you would use: I would just concatenate the unique request part to it. That doesn't make it any easier to guess. In my model the malicious user would have to guess the token AND the request unique part. And no starting point is needed, if all my pages happen to inherit from a page that triggers the creation of session and the token, if needed. (Or the framework could do it automatically.) Direct linking in our software is non-issue in secured parts. Is there such thing as overkill when implementing security? I personally would like see the possibility to toggle it on (Application wide.) by default and explicitly toggle it off (Link/Form/Page) where I want direct linking etc work. The framework default should be off (Application wide.), unless explicitly set on where needed (Link/Form/Page). -99 Christian Edward Gruber-2 wrote: > > Incidentally, on Java get and post are the same, unless someone > implements the servlet and overrides post and get. At present, get > and post both direct to the same method. That's bad. But I'm not > saying "trust post", I'm saying that get is worse than post, except > that the above turns them both into the same thing. > > Anyway, the article I was referring to (which describes some of the > issues involved with fixing it) is: > http://www.isecpartners.com/documents/XSRF_Paper.pdf > > The issue with xsrf has to do with application design and actions. > Navigation itself is not an issue, but actions that do something. > > As to the issue of using non-cryptographic tokens, it's insane. > Timing/guessing is the root of most exploits and the way to defeat > XSRF is to ensure that the "action formulator" and the "action > receiver" both agree on the number, and that an intervening party that > replays the action can't guess the new number. If you're incrementing > or decrementing on the first number, an attacker only has to try an > increment likely to be too high, then repeat it until the increment > count reaches his selected number. > > Anyway, I'm not saying don't do it on every single post, it's just > that it's overkill, overcomplicates urls (because you have to use it > on URLs sometimes), and you need to be able to turn it off where it's > not needed anyway, because new sessions won't have a number, so you > need a starting point where it's turned on. Now maybe that point is a > redirect to an entry point that's known, but that means you can't, by > definition, have direct linking to anything in the application. > Anyway, please read this paper - the solutions are good, and the > framework can enable the solution, but can't solve it for you. > > Christian. > > On 6-Aug-08, at 09:29 , 9902468 wrote: > >> >> I don't think that people should trust post anymore than get. >> Period. They >> should both be regarded as dangerous. >> >> The second issue of placing too much load on server is valid, but >> can be >> lowered as the unique request part in the token can be achieved >> using a >> running number on the generated token, not to generate the whole >> token for >> every request. Granted that user can guess the number easily, but >> there >> really is no harm if user alters the number or the token, then it just >> doesn't match. (Same as your model but the running number added.) >> This does >> add some perfomance penalty, but I believe that it is acceptable. >> >> The point that really critical things should always be confirmed via >> non-computer way is good, but sometimes unacceptable. Then one must >> settle >> to what can be done. >> >> You said "Blanket solutions don't make you secure if they're knee- >> jerk.". >> And I agree. But "...applying broad strokes isn't a good model of >> security, >> in my view." is not right in this context in my opinion. Is there >> harm done >> if token is used in every request (performance questions ignored)? >> >> This solution is not the save-everything by all means, just one tool >> in our >> box. >> >> - 99 >> >> Ps. I agree that the capability to have a secure request key be >> built into >> ActionLink, Page, and Form is enough. (Although there could be >> configuration >> symbol which configures the default, thus enabling the default to be >> on or >> off and then developer could override that if needed.) >> >> >> Christian Edward Gruber-2 wrote: >>> >>> Ok, people should read the whitepaper. Part of it describes how http >>> gets and using query parameters are somewhat easier to do request >>> forging on than posts. I have to think through the filter approach, >>> but the big deal is on forms. However, several app design principles >>> also apply - in particular, ensuring that there are no changes that >>> one ca
Re: T5: How to protect against 'Cross-site request forgery'?
Incidentally, on Java get and post are the same, unless someone implements the servlet and overrides post and get. At present, get and post both direct to the same method. That's bad. But I'm not saying "trust post", I'm saying that get is worse than post, except that the above turns them both into the same thing. Anyway, the article I was referring to (which describes some of the issues involved with fixing it) is: http://www.isecpartners.com/documents/XSRF_Paper.pdf The issue with xsrf has to do with application design and actions. Navigation itself is not an issue, but actions that do something. As to the issue of using non-cryptographic tokens, it's insane. Timing/guessing is the root of most exploits and the way to defeat XSRF is to ensure that the "action formulator" and the "action receiver" both agree on the number, and that an intervening party that replays the action can't guess the new number. If you're incrementing or decrementing on the first number, an attacker only has to try an increment likely to be too high, then repeat it until the increment count reaches his selected number. Anyway, I'm not saying don't do it on every single post, it's just that it's overkill, overcomplicates urls (because you have to use it on URLs sometimes), and you need to be able to turn it off where it's not needed anyway, because new sessions won't have a number, so you need a starting point where it's turned on. Now maybe that point is a redirect to an entry point that's known, but that means you can't, by definition, have direct linking to anything in the application. Anyway, please read this paper - the solutions are good, and the framework can enable the solution, but can't solve it for you. Christian. On 6-Aug-08, at 09:29 , 9902468 wrote: I don't think that people should trust post anymore than get. Period. They should both be regarded as dangerous. The second issue of placing too much load on server is valid, but can be lowered as the unique request part in the token can be achieved using a running number on the generated token, not to generate the whole token for every request. Granted that user can guess the number easily, but there really is no harm if user alters the number or the token, then it just doesn't match. (Same as your model but the running number added.) This does add some perfomance penalty, but I believe that it is acceptable. The point that really critical things should always be confirmed via non-computer way is good, but sometimes unacceptable. Then one must settle to what can be done. You said "Blanket solutions don't make you secure if they're knee- jerk.". And I agree. But "...applying broad strokes isn't a good model of security, in my view." is not right in this context in my opinion. Is there harm done if token is used in every request (performance questions ignored)? This solution is not the save-everything by all means, just one tool in our box. - 99 Ps. I agree that the capability to have a secure request key be built into ActionLink, Page, and Form is enough. (Although there could be configuration symbol which configures the default, thus enabling the default to be on or off and then developer could override that if needed.) Christian Edward Gruber-2 wrote: Ok, people should read the whitepaper. Part of it describes how http gets and using query parameters are somewhat easier to do request forging on than posts. I have to think through the filter approach, but the big deal is on forms. However, several app design principles also apply - in particular, ensuring that there are no changes that one can make, if one were forged, that don't include notification that the change was made to the original e-mail address of the user. The classic example is on a bank site. If i can forge a request to change the notification e-mail, then can set my own e-mail as the new notification source. THEN I can do all sorts of things, including ask for a password reset and get them to my own address, and take over the account. If, however, such underlying account changes require a phone call, or are protected from forgery, then you dramatically limit the danger of the forgery. The reason I'd not enable this on every single request (especially navigation alone) is that generating a cryptographically valid request key and storing it puts a pretty high burden on a server with any serious load, and having this happen on any and every click can be quite expensive. The only caveat I'd make to that is the fact that T5 uses some parameterization via the URL, and if those parameters are worth forging, then having the solution implemented on clicks as well would be critical. Blanket solutions don't make you secure if they're knee-jerk. You still have to do threat modelling, and incorporate it into the app design. I'd much rather see the capability to have a secure request
Extra paramer in Grid Sort
I am using " component. I also have Grid Sort feature in that. Now i need to pass some extra parameter in that Grid Sort links. When i view the source of sort link i see ../../../testreportdisp.grid.columns:sort/name Name I want to add two more parameter in that url. Something like this: ../../../testreportdisp.grid.columns:sort/name/user/role Name And Further i also want to read those parameters. Is there any way i can do that. I am using Tapestry 5.0.13 -- View this message in context: http://www.nabble.com/Extra-paramer-in-Grid-Sort-tp18863499p18863499.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tapestry 4.1 app
http://www.gunnsoft.com.au:8080/Budget/ I've been working on this for a while, and feel it's nearing stability. Feel free to have a play around. It's free. Paul. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [T5]
This is really dependent on your IDE. The .tml files are NOT compiled; but in IntelliJ you have to make sure that changes to them are copied to the right folder (there are options for this in the Jetty launch configuration screen). On Wed, Aug 6, 2008 at 12:53 PM, kace <[EMAIL PROTECTED]> wrote: > > Hi fellas, > > Do you have to compile .tml files if you want the changes to be picked up by > jetty? > > I know you have to for the java classes but I find that I dont have to > compile my Index.tml file which is located under /webapp/Index.tml for the > changes to be picked up but I do for the Layout.tml file which is located > under /java/../components/ > > If I move the .tml files to src/main/resources/../components I still have to > compile and moving them to the same location as my Index.tml results in the > Index.tml file not picking up the layout and css configuration from > Layout.tml > > Do I keep them in the same location as the java files and compile them > whenever I introduce a change? or is there something I can do here? > > Thanks > > ..kace > > -- > View this message in context: > http://www.nabble.com/-T5--tp18858355p18858355.html > Sent from the Tapestry - User mailing list archive at Nabble.com. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Howard M. Lewis Ship Creator Apache Tapestry and Apache HiveMind - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: T5: Event handler and @InjectPage seems not to work
I found my (stupid) mistake. I had a @Property and a setter so the
setter was not called.
martijn
On Wed, 2008-08-06 at 13:54 -0700, Martijn Brinkers (List) wrote:
> I have a page that contains an event handler for an event from an
> embedded component. From the event handler I would like to request
> another page and with some value 'injected' (using a setter).
>
> Pseudocode:
>
> @InjectPage
> SomePage downloadPage;
>
> @OnEvent(component="component", value="someEvent")
> protected Object downloadSelected()
> {
> // values is a set of string
> downloadPage.setValues(values);
>
> return downloadPage;
> }
>
> The event itself is triggered by the embedded component using
> "triggerEvent" with a ComponentEventCallback. The result from
> downloadSelected (that is the downloadPage instance) is returned from
> the embedded component event handler.
>
> The strange this is that the downloadSelected page is shown but the
> value that was set by setValues is lost. Also if I set a breakpoint on
> setValues it seems that it was not called. The Eclipse debugger also
> reports that downloadPage "cannot be resolved".
>
> Any idea what's going on?
>
> Martijn
>
> PS. I use the (not yet released Tapestry 5.0.14)
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
T5: Event handler and @InjectPage seems not to work
I have a page that contains an event handler for an event from an
embedded component. From the event handler I would like to request
another page and with some value 'injected' (using a setter).
Pseudocode:
@InjectPage
SomePage downloadPage;
@OnEvent(component="component", value="someEvent")
protected Object downloadSelected()
{
// values is a set of string
downloadPage.setValues(values);
return downloadPage;
}
The event itself is triggered by the embedded component using
"triggerEvent" with a ComponentEventCallback. The result from
downloadSelected (that is the downloadPage instance) is returned from
the embedded component event handler.
The strange this is that the downloadSelected page is shown but the
value that was set by setValues is lost. Also if I set a breakpoint on
setValues it seems that it was not called. The Eclipse debugger also
reports that downloadPage "cannot be resolved".
Any idea what's going on?
Martijn
PS. I use the (not yet released Tapestry 5.0.14)
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
[T5]
Hi fellas, Do you have to compile .tml files if you want the changes to be picked up by jetty? I know you have to for the java classes but I find that I dont have to compile my Index.tml file which is located under /webapp/Index.tml for the changes to be picked up but I do for the Layout.tml file which is located under /java/../components/ If I move the .tml files to src/main/resources/../components I still have to compile and moving them to the same location as my Index.tml results in the Index.tml file not picking up the layout and css configuration from Layout.tml Do I keep them in the same location as the java files and compile them whenever I introduce a change? or is there something I can do here? Thanks ..kace -- View this message in context: http://www.nabble.com/-T5--tp18858355p18858355.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: T5: pagelink
It seams that my production application server is running in behind Http
server.
Daniel Jue wrote:
>
> You could also change the default HTTPS port in your app server
> configuration, and then your don't have to worry about modifying the
> URIs. The default is of course 443.
>
> "The https:// protocol can be used in exactly the same way as the
> http:// protocol.
> The differences are that HTTPS uses a default port number of 443 (80
> for HTTP) and that
> HTTPS automatically performs SSL negotiation and thus always sends
> data in encrypted form,
> i.e. web servers accessed through https:// have to be "secure web
> servers"."
>
> For me, my development is always HTTP, and the deployed is always
> using HTTPS (for everything)
> So in the module that contributes these settings (for most people
> that's the AppModule), I look up a value stored in the local JNDI
> which tells me if I should use https or not
>
> public void contributeMetaDataLocator(MappedConfiguration
> configuration)
> {
> if(thisIsDeploymentServer())
> {
> configuration.put(TapestryConstants.SECURE_PAGE, "true");
> }
> }
>
> On Tue, Aug 5, 2008 at 11:35 PM, tapestry5 <[EMAIL PROTECTED]> wrote:
>>
>> I have the same issue. I tried using it.
>> It won't open the landing page. Infact if i don't put @Secure and also
>> donot
>> contribute it opens the landing page as https and further the links were
>> http.
>>
>> Even if i make it work but still contributeAlias is good for testing but
>> not
>> for production.
>>
>> Is there any other way to get https and not http.
>>
>> As my page can be used for http and https. So if i put @Secure then it
>> won't
>> work for any http call.
>>
>>
>>
>> 9902468 wrote:
>> >
>> > Hi,
>> >
>> > Use @Secure annotation and add this to your appmodule: (Also use
>> whatever
>> > ports you wish.)
>> >
>> > public void contributeAlias(Configuration
>> > configuration)
>> > {
>> > BaseURLSource source = new BaseURLSource()
>> > {
>> > public String getBaseURL(boolean secure)
>> > {
>> > String protocol = secure ? "https" : "http";
>> >
>> > int port = secure ? 443 : 80;
>> >
>> > if(port == 80 || port == 443){
>> > return String.format("%s://localhost", protocol);
>> > }
>> >
>> > return String.format("%s://localhost:%d", protocol,
>> port);
>> > }
>> > };
>> >
>> > configuration.add(AliasContribution.create(BaseURLSource.class,
>> > source));
>> > }
>> >
>> >
>> >
>> > Argo Vilberg wrote:
>> >>
>> >> hi,
>> >>
>> >>
>> >> I want use pagelink with port 8443 and https protocol.
>> >>
>> >> If i use:
>> >>
>> >> ${currentRole.roleName}
>> >>
>> >>
>> >> then tapestry generate
>> >> http://localhost/app/start/4
>> >>
>> >>
>> >> But i want
>> >> https://localhost:8443/app/start4
>> >>
>> >>
>> >> Argo
>> >>
>> >>
>> >
>> >
>>
>> --
>> View this message in context:
>> http://www.nabble.com/T5%3A-pagelink-tp18796163p18843725.html
>> Sent from the Tapestry - User mailing list archive at Nabble.com.
>>
>>
>> -
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
--
View this message in context:
http://www.nabble.com/T5%3A-pagelink-tp18796163p18857720.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: T5: Problem with assets
I have both T4 and T5 in my app. T4 assets was mapped to /asset... Thanks again for very valuable help! I should probably post a list of potential problems when running both T4 and T5 :) On Wed, Aug 6, 2008 at 6:38 PM, Josh Canfield <[EMAIL PROTECTED]> wrote: > Hi, > > So, you are trying to load the T5 stylesheet/javascript resources from the > T4 AssetService? Is that intentional? > What is the url that is generated for those errors? Is it possible that > it's > getting directed to your T4 app instead of T5? > > The path /5.0.13/default.css seems odd to me, but I'm still using 5.0.11 so > maybe something has changed. > > Perhaps some more code/context would help understanding the problem. > > Josh > > On Wed, Aug 6, 2008 at 2:14 AM, Inge Solvoll <[EMAIL PROTECTED] > >wrote: > > > Hi! > > > > I'm having trouble with the default assets, default.css, tapestry.js and > so > > on. The same error message applies to all of them: > > > > Failure to export classpath resource /5.0.13/tapestry.js. > > > > > > Session id: 62F38BA7F22A8AB2F6B3C1C42B3DE98D > > > > Exceptions: > > > > org.apache.hivemind.ApplicationRuntimeException: Classpath resource > > '/5.0.13/tapestry.js' does not exist. > > > > > org.apache.tapestry.asset.ResourceDigestSourceImpl.computeMD5(ResourceDigestSourceImpl.java:94) > > > > > org.apache.tapestry.asset.ResourceDigestSourceImpl.getDigestForResource(ResourceDigestSourceImpl.java:62) > > > > > $ResourceDigestSource_11b973490be.getDigestForResource($ResourceDigestSource_11b973490be.java) > > org.apache.tapestry.asset.AssetService.service(AssetService.java:197) > > > > > > Failure to export classpath resource /5.0.13/effects.js. > > > > > > Session id: 62F38BA7F22A8AB2F6B3C1C42B3DE98D > > > > Exceptions: > > > > org.apache.hivemind.ApplicationRuntimeException: Classpath resource > > '/5.0.13/effects.js' does not exist. > > > > > org.apache.tapestry.asset.ResourceDigestSourceImpl.computeMD5(ResourceDigestSourceImpl.java:94) > > > > > org.apache.tapestry.asset.ResourceDigestSourceImpl.getDigestForResource(ResourceDigestSourceImpl.java:62) > > > > > $ResourceDigestSource_11b973490be.getDigestForResource($ResourceDigestSource_11b973490be.java) > > org.apache.tapestry.asset.AssetService.service(AssetService.java:197) > > > > Failure to export classpath resource /5.0.13/default.css. > > > > > > Session id: 62F38BA7F22A8AB2F6B3C1C42B3DE98D > > > > Exceptions: > > > > org.apache.hivemind.ApplicationRuntimeException: Classpath resource > > '/5.0.13/default.css' does not exist. > > > > > org.apache.tapestry.asset.ResourceDigestSourceImpl.computeMD5(ResourceDigestSourceImpl.java:94) > > > > > org.apache.tapestry.asset.ResourceDigestSourceImpl.getDigestForResource(ResourceDigestSourceImpl.java:62) > > > > > $ResourceDigestSource_11b973490be.getDigestForResource($ResourceDigestSource_11b973490be.java) > > org.apache.tapestry.asset.AssetService.service(AssetService.java:197) > > $IEngineService_11b973490b0.service($IEngineService_11b973490b0.java) > > > > > > -- > -- > TheDailyTube.com. Sign up and get the best new videos on the internet > delivered fresh to your inbox. >
Re: T5: How to protect against 'Cross-site request forgery'?
I have added a howto http://wiki.apache.org/tapestry/Tapestry5CSRF Martijn On Wed, 2008-08-06 at 00:13 -0700, 9902468 wrote: > Hi, > > CSRF solution could be the base for the solution to my problem, described > here: > > http://www.nabble.com/T5-double-click---multiple-windows-on-same-session-prevention-to18807447.html > > Could you post the code? I think that I need only to customize it so that it > changes the sid to every response and accepts only request with the latest > one. > > I'm also interested of the mixin(s) code. (Or the custom action link / form > implementation if that approach was chosen.) > > - 99 > > > Martijn Brinkers (List)-2 wrote: > > > >> Also, the internal LinkFactory service has listeners that know when an > >> action link is created; it might be possible to automatically add a > >> query parameter to every link with authentication, and then provided > >> filters in the ComponentEventRequestHandler pipeline to enforce the > >> check. > > > > I finally had time to implement the 'Cross-site request forgery' filter > > in the way suggested by Howard and it was really simple and > > straightforward (which shows me again why I think Tapestry is extremely > > well built). All action links now contain a sid (random generated for > > each user) and the sid is checked using a ComponentEventRequestFilter. > > The only possible problem (which was not a problem for me though) could > > be that the action links now contain an extra parameter > > (example: ?sid=enn50tk96) which wasn't there before the filter was > > added. This can interfere with existing code. I was wondering whether it > > would be possible to remove the sid attribute after checking the sid so > > the rest of the application has no knowlegde of the sid? > > > > Martijn > > > > > > On Mon, 2008-07-28 at 12:27 -0700, Howard Lewis Ship wrote: > >> I wonder if this could be created as a Mixin? > >> > >> Also, the internal LinkFactory service has listeners that know when an > >> action link is created; it might be possible to automatically add a > >> query parameter to every link with authentication, and then provided > >> filters in the ComponentEventRequestHandler pipeline to enforce the > >> check. > >> > >> On Mon, Jul 28, 2008 at 12:24 PM, Martijn Brinkers (List) > >> <[EMAIL PROTECTED]> wrote: > >> > Hi Christian, > >> > > >> > Do you have some example code of you Form extension? > >> > > >> > Thanks, > >> > > >> > Martijn > >> > > >> > On Mon, 2008-07-28 at 15:18 -0400, Christian Edward Gruber wrote: > >> >> A good way would be to alter the Form object to contain (via a hidden > >> >> variable) a field that's generated per the whitepaper linked from that > >> >> wikipedia article. The form would then consume the post, and if that > >> >> field is not in the expected state, generate an error state, which > >> >> could then be redirected to a security page or some such. We solved > >> >> it this way, though without changing the T5 form object - we used a > >> >> custom form object. > >> >> > >> >> A friend of mine wrote the linked whitepaper, so if someone's trying > >> >> to put the fix into the Tapestry framework infrastructure, then let me > >> >> know and I'll connect you by e-mail. It's a good read anyway, as it's > >> >> a bit of a subtle problem. > >> >> > >> >> Christian. > >> >> > >> >> On 28-Jul-08, at 14:50 , Martijn Brinkers (List) wrote: > >> >> > >> >> > Cross-site request forgeries (CSRF) is a web application > >> vulnerability > >> >> > that is often neglected by web developers. If your application is > >> >> > vulnerable to CSRF and an attacker can entice you to request some > >> URL > >> >> > (this can be done for example with an image with the src set to some > >> >> > Tapestry action) the attacker can execute random Tapestry actions > >> and > >> >> > post forms (like adding a adminitrator etc.) without the users > >> >> > consent. > >> >> > For more info on CSRF see for example: > >> >> > http://en.wikipedia.org/wiki/Cross-site_request_forgery. > >> >> > One way to protect against CSRF is to add a non-guessable code > >> >> > (saved in > >> >> > the user session) to the URLs that need to be protected against CSRF > >> >> > or > >> >> > add a hidden field to a Form with this unique code. When Tapestry > >> >> > recieved a request (for a page or action) and that page/action need > >> >> > protection a check is done to see if the code from the URL matches > >> the > >> >> > code stored in the user session. If not you know that the request > >> did > >> >> > not generated by tapestry. > >> >> > > >> >> > My question is what is the best way to implement this? Should I add > >> >> > the > >> >> > code as a context parameter and for forms as a hidden field? And use > >> a > >> >> > dispatcher to check whether the page should have been protected? > >> >> > > >> >> > Thanks, > >> >> > > >> >> > Martijn Brinkers > >> >> > > >> >> > > >> >> > > >> ---
Re: T5: Problem with assets
Hi, So, you are trying to load the T5 stylesheet/javascript resources from the T4 AssetService? Is that intentional? What is the url that is generated for those errors? Is it possible that it's getting directed to your T4 app instead of T5? The path /5.0.13/default.css seems odd to me, but I'm still using 5.0.11 so maybe something has changed. Perhaps some more code/context would help understanding the problem. Josh On Wed, Aug 6, 2008 at 2:14 AM, Inge Solvoll <[EMAIL PROTECTED]>wrote: > Hi! > > I'm having trouble with the default assets, default.css, tapestry.js and so > on. The same error message applies to all of them: > > Failure to export classpath resource /5.0.13/tapestry.js. > > > Session id: 62F38BA7F22A8AB2F6B3C1C42B3DE98D > > Exceptions: > > org.apache.hivemind.ApplicationRuntimeException: Classpath resource > '/5.0.13/tapestry.js' does not exist. > > org.apache.tapestry.asset.ResourceDigestSourceImpl.computeMD5(ResourceDigestSourceImpl.java:94) > > org.apache.tapestry.asset.ResourceDigestSourceImpl.getDigestForResource(ResourceDigestSourceImpl.java:62) > > $ResourceDigestSource_11b973490be.getDigestForResource($ResourceDigestSource_11b973490be.java) > org.apache.tapestry.asset.AssetService.service(AssetService.java:197) > > > Failure to export classpath resource /5.0.13/effects.js. > > > Session id: 62F38BA7F22A8AB2F6B3C1C42B3DE98D > > Exceptions: > > org.apache.hivemind.ApplicationRuntimeException: Classpath resource > '/5.0.13/effects.js' does not exist. > > org.apache.tapestry.asset.ResourceDigestSourceImpl.computeMD5(ResourceDigestSourceImpl.java:94) > > org.apache.tapestry.asset.ResourceDigestSourceImpl.getDigestForResource(ResourceDigestSourceImpl.java:62) > > $ResourceDigestSource_11b973490be.getDigestForResource($ResourceDigestSource_11b973490be.java) > org.apache.tapestry.asset.AssetService.service(AssetService.java:197) > > Failure to export classpath resource /5.0.13/default.css. > > > Session id: 62F38BA7F22A8AB2F6B3C1C42B3DE98D > > Exceptions: > > org.apache.hivemind.ApplicationRuntimeException: Classpath resource > '/5.0.13/default.css' does not exist. > > org.apache.tapestry.asset.ResourceDigestSourceImpl.computeMD5(ResourceDigestSourceImpl.java:94) > > org.apache.tapestry.asset.ResourceDigestSourceImpl.getDigestForResource(ResourceDigestSourceImpl.java:62) > > $ResourceDigestSource_11b973490be.getDigestForResource($ResourceDigestSource_11b973490be.java) > org.apache.tapestry.asset.AssetService.service(AssetService.java:197) > $IEngineService_11b973490b0.service($IEngineService_11b973490b0.java) > -- -- TheDailyTube.com. Sign up and get the best new videos on the internet delivered fresh to your inbox.
Re: T5: pagelink
I have my app server configured to https default.
Pages without @secure annotation and contributeAlias opens but all the links
are still http. (Not sure why that is happening).
Pages with @Secure annotation and contributeAlias will give an exception
"The page isn't redirecting properly" (Not sure why that is happening).
Daniel Jue wrote:
>
> You could also change the default HTTPS port in your app server
> configuration, and then your don't have to worry about modifying the
> URIs. The default is of course 443.
>
> "The https:// protocol can be used in exactly the same way as the
> http:// protocol.
> The differences are that HTTPS uses a default port number of 443 (80
> for HTTP) and that
> HTTPS automatically performs SSL negotiation and thus always sends
> data in encrypted form,
> i.e. web servers accessed through https:// have to be "secure web
> servers"."
>
> For me, my development is always HTTP, and the deployed is always
> using HTTPS (for everything)
> So in the module that contributes these settings (for most people
> that's the AppModule), I look up a value stored in the local JNDI
> which tells me if I should use https or not
>
> public void contributeMetaDataLocator(MappedConfiguration
> configuration)
> {
> if(thisIsDeploymentServer())
> {
> configuration.put(TapestryConstants.SECURE_PAGE, "true");
> }
> }
>
> On Tue, Aug 5, 2008 at 11:35 PM, tapestry5 <[EMAIL PROTECTED]> wrote:
>>
>> I have the same issue. I tried using it.
>> It won't open the landing page. Infact if i don't put @Secure and also
>> donot
>> contribute it opens the landing page as https and further the links were
>> http.
>>
>> Even if i make it work but still contributeAlias is good for testing but
>> not
>> for production.
>>
>> Is there any other way to get https and not http.
>>
>> As my page can be used for http and https. So if i put @Secure then it
>> won't
>> work for any http call.
>>
>>
>>
>> 9902468 wrote:
>> >
>> > Hi,
>> >
>> > Use @Secure annotation and add this to your appmodule: (Also use
>> whatever
>> > ports you wish.)
>> >
>> > public void contributeAlias(Configuration
>> > configuration)
>> > {
>> > BaseURLSource source = new BaseURLSource()
>> > {
>> > public String getBaseURL(boolean secure)
>> > {
>> > String protocol = secure ? "https" : "http";
>> >
>> > int port = secure ? 443 : 80;
>> >
>> > if(port == 80 || port == 443){
>> > return String.format("%s://localhost", protocol);
>> > }
>> >
>> > return String.format("%s://localhost:%d", protocol,
>> port);
>> > }
>> > };
>> >
>> > configuration.add(AliasContribution.create(BaseURLSource.class,
>> > source));
>> > }
>> >
>> >
>> >
>> > Argo Vilberg wrote:
>> >>
>> >> hi,
>> >>
>> >>
>> >> I want use pagelink with port 8443 and https protocol.
>> >>
>> >> If i use:
>> >>
>> >> ${currentRole.roleName}
>> >>
>> >>
>> >> then tapestry generate
>> >> http://localhost/app/start/4
>> >>
>> >>
>> >> But i want
>> >> https://localhost:8443/app/start4
>> >>
>> >>
>> >> Argo
>> >>
>> >>
>> >
>> >
>>
>> --
>> View this message in context:
>> http://www.nabble.com/T5%3A-pagelink-tp18796163p18843725.html
>> Sent from the Tapestry - User mailing list archive at Nabble.com.
>>
>>
>> -
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
--
View this message in context:
http://www.nabble.com/T5%3A-pagelink-tp18796163p18853412.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: IPage and ILink difference
Generally, returning a page is what you want. Returning an ILink is generally used for "redirect after post" processing in Tapestry 4. On Tue, Aug 5, 2008 at 11:25 PM, Yohan Yudanara <[EMAIL PROTECTED]> wrote: > Dear all, > > what is the difference between using IPage and ILink for redirecting > page? > > Which one is recommended to be put on listener that will load another > page? > > >From googling on the net, I found this explanation: > An ILink will cause a redirect url to be sent to the browser. An IPage > will be rendered in the current request cycle. > > Could anyone plz give me more explanation about that statement? > > Thanks in advance, > Yohan > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Howard M. Lewis Ship Creator Apache Tapestry and Apache HiveMind - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
T5 - inPlaceEditor
Hi,
I have this code of the page class:
@Component(parameters = {"source=allItems", "row=item" } )
private Grid _grid;
@Component(parameters = {"value=item.code", "context=item.code",
"size=30"})
private InPlaceEditor _inPlaceEditor;
@OnEvent(component = "inPlaceEditor", value = InPlaceEditor.SAVE_EVENT)
void actionFromEditor(String code)
{
item.setCode(code);
}
and the code of the page template is:
When i execute, item cells can´t be change by a new value. What am I doing
wrong?
thanks
Re: T5: Dynamic asset path
Thanks!
Not the prettiest thing I ever saw, I would have preferred a more
straghtforward approach from the framework. I need that code pretty often in
most of my pages. But I guess I'll manage to hide it in some utility method.
On Wed, Aug 6, 2008 at 4:00 PM, 9902468 <[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> I did this:
>
> Java:
>
>@Inject
>private AssetSource assetSource;
>
>public List getLanguages(){
>return parameterManager.getLanguages();
>}
>
>@Property
>private Language language;
>
>public String getLanguageAsset(){
>Asset asset = assetSource.getAsset(null, "context:/assets/images
> /"+language.getLanguage()+".gif", null);
>return asset.toClientURL();
>}
>
> .tml
>
>
> src="${languageAsset}"/>
>
>
> change imgtag -> img
>
>
> Inge Solvoll-2 wrote:
> >
> > Hi!
> >
> > I would like to do something like this, but this syntax obviously doesn't
> > work. The ${bannerPath} seems to be pointing to a "symbol", which
> > obviously
> > isn't a page property.
> > Is there a similar way to do this?
> >
> > @Inject
> > @Path("${bannerPath}")
> > private Asset banner;
> >
> >
> > public String getBannerPath() {
> > return "context:/company/1/banner.gif";
> > }
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/T5%3A-Dynamic-asset-path-tp18851298p18851830.html
> Sent from the Tapestry - User mailing list archive at Nabble.com.
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
RE: Form validation question
Validate events are indeed called for each component, and then a validate event is called for the entire form. If your fields are "usernameField" and "passwordField" in a "loginForm", you would expect: onValidateFromUsernameField() onValidateFromPasswordField() onValidateFormFromLoginForm(); With a single form, you may just want to use onValidateForm(). > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 06, 2008 08:46 > To: users@tapestry.apache.org > Subject: Form validation question > > From reading the documentation I am under the impression that during > form submission a VALIDATE_FORM event is emitted once. However, I > observe onValidate() being called for every component in the form, the > value from the component not being set until *after* onValidate has > apparently been called on that component. For instance, I have > username and password fields (with values typed in of "admin, > "admin"), and I get during onValidate(): > > on validate: null / null > on validate: admin / null > > I would have thought it was called just once and would have all values > set. What is going on and what am I not understanding here? > > thanks, > p > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: T5: Dynamic asset path
Hi,
I did this:
Java:
@Inject
private AssetSource assetSource;
public List getLanguages(){
return parameterManager.getLanguages();
}
@Property
private Language language;
public String getLanguageAsset(){
Asset asset = assetSource.getAsset(null, "context:/assets/images
/"+language.getLanguage()+".gif", null);
return asset.toClientURL();
}
.tml
change imgtag -> img
Inge Solvoll-2 wrote:
>
> Hi!
>
> I would like to do something like this, but this syntax obviously doesn't
> work. The ${bannerPath} seems to be pointing to a "symbol", which
> obviously
> isn't a page property.
> Is there a similar way to do this?
>
> @Inject
> @Path("${bannerPath}")
> private Asset banner;
>
>
> public String getBannerPath() {
> return "context:/company/1/banner.gif";
> }
>
>
--
View this message in context:
http://www.nabble.com/T5%3A-Dynamic-asset-path-tp18851298p18851830.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: T5: Dynamic asset path
Also, I can't seem to find out how to reference this asset in the .tml.
Tried a lot similar to this, nothing worked:
Also tried annotating "private Asset banner" with @Property, no diffference.
The only thing I got working is this:
But this doesn't work for me, becuse I need to compute each customers image
path on each request.
On Wed, Aug 6, 2008 at 3:33 PM, Inge Solvoll <[EMAIL PROTECTED]>wrote:
> Hi!
>
> I would like to do something like this, but this syntax obviously doesn't
> work. The ${bannerPath} seems to be pointing to a "symbol", which obviously
> isn't a page property.
> Is there a similar way to do this?
>
> @Inject
> @Path("${bannerPath}")
> private Asset banner;
>
>
> public String getBannerPath() {
> return "context:/company/1/banner.gif";
> }
>
Re: what happened to the plugin snapshots....
As I said before, this was done by infra with no notice to us. The new policy of purging is theirs, not ours. See the infra archives if you would like to read about it. On Aug 5, 2008, at 10:45 PM, "Patrick Moore" <[EMAIL PROTECTED]> wrote: Of course this means that the maven team is imposing their idea of good process on the other apache projects like tapestry which was also impacted by this ... I could understand this if the release occurs. (i.e. if 2.2 is released then the 2.2-SNAPSHOT could be reasonably expected to be discarded) part of the process of tracking down a bug involves going back to known states of the code. Using the snapshots to diagnose when a bug appeared is useful as people move toward a release.something to think about. Just my 2c clearly I will need to isolate my project in the future from the official maven repos ... probably should do it anyhow but would have preferred to do it later -Pat On Tue, Aug 5, 2008 at 3:53 PM, Brian E. Fox <[EMAIL PROTECTED]>wrote: > The official answer is this: > http://www.apache.org/dev/release.html#what > > Technically only the development team should be using snapshots and it > seems like we should expect snapshots to be cleaned out on a more > regular basis. Therefore if you use them, you better have a repo manager > or some other way to isolate yourself. This is just plain best practice > anyway. > > -Original Message- > From: David Conde [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 05, 2008 8:20 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: what happened to the plugin snapshots > > Moving this onto the dev list. > > Are there plans to re-publish snapshots of these soon? I currently have > a dependency on maven-embedder which brings in wagon etc which cannot be > > resolved now. > > Thanks, > David Conde > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
T5: Dynamic asset path
Hi!
I would like to do something like this, but this syntax obviously doesn't
work. The ${bannerPath} seems to be pointing to a "symbol", which obviously
isn't a page property.
Is there a similar way to do this?
@Inject
@Path("${bannerPath}")
private Asset banner;
public String getBannerPath() {
return "context:/company/1/banner.gif";
}
Re: T5: How to protect against 'Cross-site request forgery'?
I don't think that people should trust post anymore than get. Period. They should both be regarded as dangerous. The second issue of placing too much load on server is valid, but can be lowered as the unique request part in the token can be achieved using a running number on the generated token, not to generate the whole token for every request. Granted that user can guess the number easily, but there really is no harm if user alters the number or the token, then it just doesn't match. (Same as your model but the running number added.) This does add some perfomance penalty, but I believe that it is acceptable. The point that really critical things should always be confirmed via non-computer way is good, but sometimes unacceptable. Then one must settle to what can be done. You said "Blanket solutions don't make you secure if they're knee-jerk.". And I agree. But "...applying broad strokes isn't a good model of security, in my view." is not right in this context in my opinion. Is there harm done if token is used in every request (performance questions ignored)? This solution is not the save-everything by all means, just one tool in our box. - 99 Ps. I agree that the capability to have a secure request key be built into ActionLink, Page, and Form is enough. (Although there could be configuration symbol which configures the default, thus enabling the default to be on or off and then developer could override that if needed.) Christian Edward Gruber-2 wrote: > > Ok, people should read the whitepaper. Part of it describes how http > gets and using query parameters are somewhat easier to do request > forging on than posts. I have to think through the filter approach, > but the big deal is on forms. However, several app design principles > also apply - in particular, ensuring that there are no changes that > one can make, if one were forged, that don't include notification that > the change was made to the original e-mail address of the user. > > The classic example is on a bank site. If i can forge a request to > change the notification e-mail, then can set my own e-mail as the new > notification source. THEN I can do all sorts of things, including ask > for a password reset and get them to my own address, and take over the > account. If, however, such underlying account changes require a phone > call, or are protected from forgery, then you dramatically limit the > danger of the forgery. > > The reason I'd not enable this on every single request (especially > navigation alone) is that generating a cryptographically valid request > key and storing it puts a pretty high burden on a server with any > serious load, and having this happen on any and every click can be > quite expensive. The only caveat I'd make to that is the fact that > T5 uses some parameterization via the URL, and if those parameters are > worth forging, then having the solution implemented on clicks as well > would be critical. > > Blanket solutions don't make you secure if they're knee-jerk. You > still have to do threat modelling, and incorporate it into the app > design. I'd much rather see the capability to have a secure request > key be built into ActionLink, Page, and Form, to allow one to enable > it with a flag, according to what needs protecting. T5, having the > component consume its own data is in a much better place to implement > this cleanly in a few key components than Struts or other things. But > getting nervous about XSRF (or CSRF or whatever the current acronym is > today) and applying broad strokes isn't a good model of security, in > my view. > > Unfortunately, I can't provide source code for our example, as I don't > have it any more, and it was client code. I'm in the thick of other > source and other issues, so I don't really have time to implement it. > I do have a client that may need it, so if I get there before a good > general solution is adopted in T5, I'll try to write it in a way that > I can share the source with the community. > > Christian. > > On 6-Aug-08, at 03:13 , 9902468 wrote: > >> >> Hi, >> >> CSRF solution could be the base for the solution to my problem, >> described >> here: >> >> http://www.nabble.com/T5-double-click---multiple-windows-on-same-session-prevention-to18807447.html >> >> Could you post the code? I think that I need only to customize it so >> that it >> changes the sid to every response and accepts only request with the >> latest >> one. >> >> I'm also interested of the mixin(s) code. (Or the custom action >> link / form >> implementation if that approach was chosen.) >> >> - 99 >> >> >> Martijn Brinkers (List)-2 wrote: >>> Also, the internal LinkFactory service has listeners that know when an action link is created; it might be possible to automatically add a query parameter to every link with authentication, and then provided filters in the ComponentEvent
Form validation question
From reading the documentation I am under the impression that during form submission a VALIDATE_FORM event is emitted once. However, I observe onValidate() being called for every component in the form, the value from the component not being set until *after* onValidate has apparently been called on that component. For instance, I have username and password fields (with values typed in of "admin, "admin"), and I get during onValidate(): on validate: null / null on validate: admin / null I would have thought it was called just once and would have all values set. What is going on and what am I not understanding here? thanks, p - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: T5: How to protect against 'Cross-site request forgery'?
Ok, people should read the whitepaper. Part of it describes how http gets and using query parameters are somewhat easier to do request forging on than posts. I have to think through the filter approach, but the big deal is on forms. However, several app design principles also apply - in particular, ensuring that there are no changes that one can make, if one were forged, that don't include notification that the change was made to the original e-mail address of the user. The classic example is on a bank site. If i can forge a request to change the notification e-mail, then can set my own e-mail as the new notification source. THEN I can do all sorts of things, including ask for a password reset and get them to my own address, and take over the account. If, however, such underlying account changes require a phone call, or are protected from forgery, then you dramatically limit the danger of the forgery. The reason I'd not enable this on every single request (especially navigation alone) is that generating a cryptographically valid request key and storing it puts a pretty high burden on a server with any serious load, and having this happen on any and every click can be quite expensive. The only caveat I'd make to that is the fact that T5 uses some parameterization via the URL, and if those parameters are worth forging, then having the solution implemented on clicks as well would be critical. Blanket solutions don't make you secure if they're knee-jerk. You still have to do threat modelling, and incorporate it into the app design. I'd much rather see the capability to have a secure request key be built into ActionLink, Page, and Form, to allow one to enable it with a flag, according to what needs protecting. T5, having the component consume its own data is in a much better place to implement this cleanly in a few key components than Struts or other things. But getting nervous about XSRF (or CSRF or whatever the current acronym is today) and applying broad strokes isn't a good model of security, in my view. Unfortunately, I can't provide source code for our example, as I don't have it any more, and it was client code. I'm in the thick of other source and other issues, so I don't really have time to implement it. I do have a client that may need it, so if I get there before a good general solution is adopted in T5, I'll try to write it in a way that I can share the source with the community. Christian. On 6-Aug-08, at 03:13 , 9902468 wrote: Hi, CSRF solution could be the base for the solution to my problem, described here: http://www.nabble.com/T5-double-click---multiple-windows-on-same-session-prevention-to18807447.html Could you post the code? I think that I need only to customize it so that it changes the sid to every response and accepts only request with the latest one. I'm also interested of the mixin(s) code. (Or the custom action link / form implementation if that approach was chosen.) - 99 Martijn Brinkers (List)-2 wrote: Also, the internal LinkFactory service has listeners that know when an action link is created; it might be possible to automatically add a query parameter to every link with authentication, and then provided filters in the ComponentEventRequestHandler pipeline to enforce the check. I finally had time to implement the 'Cross-site request forgery' filter in the way suggested by Howard and it was really simple and straightforward (which shows me again why I think Tapestry is extremely well built). All action links now contain a sid (random generated for each user) and the sid is checked using a ComponentEventRequestFilter. The only possible problem (which was not a problem for me though) could be that the action links now contain an extra parameter (example: ?sid=enn50tk96) which wasn't there before the filter was added. This can interfere with existing code. I was wondering whether it would be possible to remove the sid attribute after checking the sid so the rest of the application has no knowlegde of the sid? Martijn On Mon, 2008-07-28 at 12:27 -0700, Howard Lewis Ship wrote: I wonder if this could be created as a Mixin? Also, the internal LinkFactory service has listeners that know when an action link is created; it might be possible to automatically add a query parameter to every link with authentication, and then provided filters in the ComponentEventRequestHandler pipeline to enforce the check. On Mon, Jul 28, 2008 at 12:24 PM, Martijn Brinkers (List) <[EMAIL PROTECTED]> wrote: Hi Christian, Do you have some example code of you Form extension? Thanks, Martijn On Mon, 2008-07-28 at 15:18 -0400, Christian Edward Gruber wrote: A good way would be to alter the Form object to contain (via a hidden variable) a field that's generated per the whitepaper linked from that wikipedia article. The form would then consume the post, and if t
message catalog reuse / chaining
Hello! We have a small component displaying an address form. So we put the tml, java and localization properties below the component directories. If we reuse this component inside a page using the component annotation we need to duplicate all localizations properties otherwise we get "missing-key". It seems the message catalog of a component is not "inherited" to the page including this component. Is it possible to "chain" the message catalogs in any way? Thanks in advance Jens - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: T5: Kudos!
Inge Solvoll schrieb: ... In particular I really like how simple it is to create new components/pages. This has been the biggest drag about T4, that it was so much hassle creating a new component and getting it to work that I almost always ended up writing "monolithic" pages with few custom components. ... +1 on that. It is really a lot simpler now. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
T5: Problem with assets
Hi! I'm having trouble with the default assets, default.css, tapestry.js and so on. The same error message applies to all of them: Failure to export classpath resource /5.0.13/tapestry.js. Session id: 62F38BA7F22A8AB2F6B3C1C42B3DE98D Exceptions: org.apache.hivemind.ApplicationRuntimeException: Classpath resource '/5.0.13/tapestry.js' does not exist. org.apache.tapestry.asset.ResourceDigestSourceImpl.computeMD5(ResourceDigestSourceImpl.java:94) org.apache.tapestry.asset.ResourceDigestSourceImpl.getDigestForResource(ResourceDigestSourceImpl.java:62) $ResourceDigestSource_11b973490be.getDigestForResource($ResourceDigestSource_11b973490be.java) org.apache.tapestry.asset.AssetService.service(AssetService.java:197) Failure to export classpath resource /5.0.13/effects.js. Session id: 62F38BA7F22A8AB2F6B3C1C42B3DE98D Exceptions: org.apache.hivemind.ApplicationRuntimeException: Classpath resource '/5.0.13/effects.js' does not exist. org.apache.tapestry.asset.ResourceDigestSourceImpl.computeMD5(ResourceDigestSourceImpl.java:94) org.apache.tapestry.asset.ResourceDigestSourceImpl.getDigestForResource(ResourceDigestSourceImpl.java:62) $ResourceDigestSource_11b973490be.getDigestForResource($ResourceDigestSource_11b973490be.java) org.apache.tapestry.asset.AssetService.service(AssetService.java:197) Failure to export classpath resource /5.0.13/default.css. Session id: 62F38BA7F22A8AB2F6B3C1C42B3DE98D Exceptions: org.apache.hivemind.ApplicationRuntimeException: Classpath resource '/5.0.13/default.css' does not exist. org.apache.tapestry.asset.ResourceDigestSourceImpl.computeMD5(ResourceDigestSourceImpl.java:94) org.apache.tapestry.asset.ResourceDigestSourceImpl.getDigestForResource(ResourceDigestSourceImpl.java:62) $ResourceDigestSource_11b973490be.getDigestForResource($ResourceDigestSource_11b973490be.java) org.apache.tapestry.asset.AssetService.service(AssetService.java:197) $IEngineService_11b973490b0.service($IEngineService_11b973490b0.java)
T5: Kudos!
Hi!
My T5 demo app is now pretty much up and running, it didn't take me too much
time to configure some rather advanced features as well. Really positive
experience so far! In particular I really like how simple it is to create
new components/pages. This has been the biggest drag about T4, that it was
so much hassle creating a new component and getting it to work that I almost
always ended up writing "monolithic" pages with few custom components.
I haven't gotten to the point where I write my own components on a larger
scale yet, so I'm still very curious and enthusiastic about T5!
Another great feature was file streaming, which was SO much harder and
less intuitive in T4. Now I just need to return an instance of this class:
private final class XmlStreamResponse implements StreamResponse {
private String xml;
public XmlStreamResponse(String xml) {
this.xml = xml;
}
public String getContentType() {
return "text/xml";
}
public InputStream getStream() throws IOException {
ByteArrayInputStream bis = new ByteArrayInputStream(xml.getBytes());
return bis;
}
public void prepareResponse(Response response) {
response.setHeader("Content-Disposition", "attachment;
filename=\"test.xml\";");
response.setHeader("Pragma", "public");
response.setHeader("Cache-Control", "max-age=86400");
}
}
Re: T5: pagelink
My problem is that, my first page is http and after that are pages https.
If i switch to https, then ID-Card authentication is occour in tomcat.
Thatsway i must use both protocol.
But how to change http,https and ports in appModule.java
2008/8/6 Daniel Jue <[EMAIL PROTECTED]>
> You could also change the default HTTPS port in your app server
> configuration, and then your don't have to worry about modifying the
> URIs. The default is of course 443.
>
> "The https:// protocol can be used in exactly the same way as the
> http:// protocol.
> The differences are that HTTPS uses a default port number of 443 (80
> for HTTP) and that
> HTTPS automatically performs SSL negotiation and thus always sends
> data in encrypted form,
> i.e. web servers accessed through https:// have to be "secure web
> servers"."
>
> For me, my development is always HTTP, and the deployed is always
> using HTTPS (for everything)
> So in the module that contributes these settings (for most people
> that's the AppModule), I look up a value stored in the local JNDI
> which tells me if I should use https or not
>
> public void contributeMetaDataLocator(MappedConfiguration
> configuration)
> {
> if(thisIsDeploymentServer())
> {
>configuration.put(TapestryConstants.SECURE_PAGE, "true");
> }
> }
>
> On Tue, Aug 5, 2008 at 11:35 PM, tapestry5 <[EMAIL PROTECTED]> wrote:
> >
> > I have the same issue. I tried using it.
> > It won't open the landing page. Infact if i don't put @Secure and also
> donot
> > contribute it opens the landing page as https and further the links were
> > http.
> >
> > Even if i make it work but still contributeAlias is good for testing but
> not
> > for production.
> >
> > Is there any other way to get https and not http.
> >
> > As my page can be used for http and https. So if i put @Secure then it
> won't
> > work for any http call.
> >
> >
> >
> > 9902468 wrote:
> > >
> > > Hi,
> > >
> > > Use @Secure annotation and add this to your appmodule: (Also use
> whatever
> > > ports you wish.)
> > >
> > > public void contributeAlias(Configuration
> > > configuration)
> > > {
> > > BaseURLSource source = new BaseURLSource()
> > > {
> > > public String getBaseURL(boolean secure)
> > > {
> > > String protocol = secure ? "https" : "http";
> > >
> > > int port = secure ? 443 : 80;
> > >
> > > if(port == 80 || port == 443){
> > > return String.format("%s://localhost", protocol);
> > > }
> > >
> > > return String.format("%s://localhost:%d", protocol,
> port);
> > > }
> > > };
> > >
> > > configuration.add(AliasContribution.create(BaseURLSource.class,
> > > source));
> > > }
> > >
> > >
> > >
> > > Argo Vilberg wrote:
> > >>
> > >> hi,
> > >>
> > >>
> > >> I want use pagelink with port 8443 and https protocol.
> > >>
> > >> If i use:
> > >>
> > >> ${currentRole.roleName}
> > >>
> > >>
> > >> then tapestry generate
> > >> http://localhost/app/start/4
> > >>
> > >>
> > >> But i want
> > >> https://localhost:8443/app/start4
> > >>
> > >>
> > >> Argo
> > >>
> > >>
> > >
> > >
> >
> > --
> > View this message in context:
> http://www.nabble.com/T5%3A-pagelink-tp18796163p18843725.html
> > Sent from the Tapestry - User mailing list archive at Nabble.com.
> >
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
Re: https actionlink
Hi, have a look at "http://tapestry.apache.org/tapestry5/tapestry-core/guide/secure.html";. If the first paragraph - @Secure - does not work for you (which seems odd by the way because for me it seems to work just fine in 5.0.13), you can configure it in your AppModule.java, see the other two paragraphs of the page. Hth, Lutz On Tue, Aug 5, 2008 at 4:50 PM, tapestry5 <[EMAIL PROTECTED]> wrote: > > I have a page object which is suppose to work in https. > > I can open that page via "https" but all the links in that page are created > as "http" by tapestry. > eg. Refresh > Here when i click on Refresh i get "http://server:port"; > > How can i change the links from http to https. > > I tried @Secure annotation but it still not working. > I am working on Tapestry 5.0.13 version. > > -- > View this message in context: > http://www.nabble.com/https-actionlink-tp18832779p18832779.html > Sent from the Tapestry - User mailing list archive at Nabble.com. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: T5: How to protect against 'Cross-site request forgery'?
Hi, CSRF solution could be the base for the solution to my problem, described here: http://www.nabble.com/T5-double-click---multiple-windows-on-same-session-prevention-to18807447.html Could you post the code? I think that I need only to customize it so that it changes the sid to every response and accepts only request with the latest one. I'm also interested of the mixin(s) code. (Or the custom action link / form implementation if that approach was chosen.) - 99 Martijn Brinkers (List)-2 wrote: > >> Also, the internal LinkFactory service has listeners that know when an >> action link is created; it might be possible to automatically add a >> query parameter to every link with authentication, and then provided >> filters in the ComponentEventRequestHandler pipeline to enforce the >> check. > > I finally had time to implement the 'Cross-site request forgery' filter > in the way suggested by Howard and it was really simple and > straightforward (which shows me again why I think Tapestry is extremely > well built). All action links now contain a sid (random generated for > each user) and the sid is checked using a ComponentEventRequestFilter. > The only possible problem (which was not a problem for me though) could > be that the action links now contain an extra parameter > (example: ?sid=enn50tk96) which wasn't there before the filter was > added. This can interfere with existing code. I was wondering whether it > would be possible to remove the sid attribute after checking the sid so > the rest of the application has no knowlegde of the sid? > > Martijn > > > On Mon, 2008-07-28 at 12:27 -0700, Howard Lewis Ship wrote: >> I wonder if this could be created as a Mixin? >> >> Also, the internal LinkFactory service has listeners that know when an >> action link is created; it might be possible to automatically add a >> query parameter to every link with authentication, and then provided >> filters in the ComponentEventRequestHandler pipeline to enforce the >> check. >> >> On Mon, Jul 28, 2008 at 12:24 PM, Martijn Brinkers (List) >> <[EMAIL PROTECTED]> wrote: >> > Hi Christian, >> > >> > Do you have some example code of you Form extension? >> > >> > Thanks, >> > >> > Martijn >> > >> > On Mon, 2008-07-28 at 15:18 -0400, Christian Edward Gruber wrote: >> >> A good way would be to alter the Form object to contain (via a hidden >> >> variable) a field that's generated per the whitepaper linked from that >> >> wikipedia article. The form would then consume the post, and if that >> >> field is not in the expected state, generate an error state, which >> >> could then be redirected to a security page or some such. We solved >> >> it this way, though without changing the T5 form object - we used a >> >> custom form object. >> >> >> >> A friend of mine wrote the linked whitepaper, so if someone's trying >> >> to put the fix into the Tapestry framework infrastructure, then let me >> >> know and I'll connect you by e-mail. It's a good read anyway, as it's >> >> a bit of a subtle problem. >> >> >> >> Christian. >> >> >> >> On 28-Jul-08, at 14:50 , Martijn Brinkers (List) wrote: >> >> >> >> > Cross-site request forgeries (CSRF) is a web application >> vulnerability >> >> > that is often neglected by web developers. If your application is >> >> > vulnerable to CSRF and an attacker can entice you to request some >> URL >> >> > (this can be done for example with an image with the src set to some >> >> > Tapestry action) the attacker can execute random Tapestry actions >> and >> >> > post forms (like adding a adminitrator etc.) without the users >> >> > consent. >> >> > For more info on CSRF see for example: >> >> > http://en.wikipedia.org/wiki/Cross-site_request_forgery. >> >> > One way to protect against CSRF is to add a non-guessable code >> >> > (saved in >> >> > the user session) to the URLs that need to be protected against CSRF >> >> > or >> >> > add a hidden field to a Form with this unique code. When Tapestry >> >> > recieved a request (for a page or action) and that page/action need >> >> > protection a check is done to see if the code from the URL matches >> the >> >> > code stored in the user session. If not you know that the request >> did >> >> > not generated by tapestry. >> >> > >> >> > My question is what is the best way to implement this? Should I add >> >> > the >> >> > code as a context parameter and for forms as a hidden field? And use >> a >> >> > dispatcher to check whether the page should have been protected? >> >> > >> >> > Thanks, >> >> > >> >> > Martijn Brinkers >> >> > >> >> > >> >> > >> - >> >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> > For additional commands, e-mail: [EMAIL PROTECTED] >> >> > >> >> >> >> >> >> - >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> > >> > >> > --
Re: T5 application behaviour behind an apache web server
Hi Grigoris,
This is a standard configuration issue which has little to do with Tapestry,
you use a reverse proxy, but also need to have a sticky session and also set
the route/JVMRoute parameter.
In Tomcat you set it on the connector in server.xml (should be similar for
JBoss). This is needed to tell Apache about the origin of the request context.
Deploying in the root context works, but this means no other app can run
alongside yours, which is not always ideal and your session cookie is not
guaranteed to be passed correctly.
Peter
- Original Message -
From: "Grigoris Ioannou" <[EMAIL PROTECTED]>
To: "Tapestry users"
Sent: Friday, 1 August, 2008 11:25:38 AM GMT +02:00 Athens, Beirut, Bucharest,
Istanbul
Subject: T5 application behaviour behind an apache web server
Hi all,
I'm facing this peculiar behavior in my T5 application:
I have a search box in the border of the application:
BorderHeadComponent.tml
BorderHeadComponent.java
@InjectPage
private ResultsPage resultsPage;
Object onSuccess() {
resultsPage.setQuery(getQuery());
return resultsPage;
}
ResultsPage.java:
@Property
@Persist("flash")
private String query;
void onActivate() {
LOGGER.info("came here with query " + getQuery());
}
When I run the application in jboss and I search for something, it will
correctly redirect me to http://localhost:8080/myapp/resultspage
Ok till here, all works fine with jboss.
The problem starts in the live deployment. For the live environment, I have
configured apache to redirect all requests to jboss. In httpd.conf, I write:
ProxyPass / ajp://localhost:8009/myapp/
ProxyPassReverse / ajp://localhost:8009/myapp/
So, theoretically, a search in the live site should redirect me to
http://www.mydomain.com/resultspage
But instead of this, it redirects to
http://www.mydomain.com/myapp/resultspage
( ^ myapp should not appear here!
)
which results in a 404 not found error.
Meanwhile, all the pagelinks (eg. Home ) function correctly.
Is this a Tapestry bug or a configuration error? Or am I missing something?
I would appreciate any suggestions.
Grigoris
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
