Re: Tynamo Security and Tapestry case insensitive paths
On Mon, Feb 14, 2011 at 2:56 AM, Massimo Lusetti wrote: > BTW URL should be considered in a case sensitive manner expect for the > machine name part which could be considered case insensitive. > Could that open up a discussion on how Tapestry5 treats URL? At least earlier www protocol specs didn't say anything about case sensitivity. The typical case has always been that the behavior is operating system dependent. Tapestry made a choice there and at least it behaves consistently in all environments. Given that urls are mostly human readable, it's a reasonable choice IMHO. Kalle - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Tynamo Security and Tapestry case insensitive paths
On Sat, Feb 5, 2011 at 4:56 AM, Kalle Korhonen wrote: > Sorry for being a bit late to the party. Thanks Barry for reporting > and already proposing a patch. Yes, it really seems it's a feature of > Shiro. I do a find it a bit funny though (yes, I'm a Shiro committer > but haven't been on board from the beginning) that it's the default > behavior and that there's no configurable option to make it case > insensitive even if this is never an issue if your resource urls are > case sensitive. Regardless, Tapestry treating urls as case insensitive > makes this a bug in tapestry-security. Lowercasing all urls repeatedly BTW URL should be considered in a case sensitive manner expect for the machine name part which could be considered case insensitive. Could that open up a discussion on how Tapestry5 treats URL? > releasing tap-sec is quite a bit faster than for Shiro. And just a > note on annotations vs url matching - I always suggest using both if > you are serious about security. Totally agree, using annotation should be mandatory IMHO. Cheers -- Massimo http://meridio.blogspot.com - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Tynamo Security and Tapestry case insensitive paths
Thanks for the quick fix. When I saw the "run as" and "remember me" support in Shiro I knew I had to take a closer look and I think I'm out of the security business now. This is the first package I've seen that easily solves the simple problem like the one above, yet is robust enough for sites where everyone can do something different. Anyone needing security in a Tapestry app should take a look. Thanks Barry - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Tynamo Security and Tapestry case insensitive paths
On Mon, Feb 7, 2011 at 9:43 AM, Mark wrote: > On Sun, Feb 6, 2011 at 8:22 AM, Kalle Korhonen >> Made a patch release yesterday with a fix, use 0.2.2 or 0.3.1, see >> http://tynamo.org/tapestry-security+guide > I found this in the destination of your link: > Use lowercase throughout the shiro.ini file configuration If you want > to use a shiro.ini configuration file, > Is that to say that in 0.3.1 case insensitivity is the default > behavior as long as you use lowercase in the shiro.ini file? Correct. Use lowercase in shiro.ini file (it would have been another extension point to override and I just didn't want to deal with it right now), all incoming request urls are treated as case insensitive. Kalle - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Tynamo Security and Tapestry case insensitive paths
On Sun, Feb 6, 2011 at 8:22 AM, Kalle Korhonen wrote: > Made a patch release yesterday with a fix, use 0.2.2 or 0.3.1, see > http://tynamo.org/tapestry-security+guide > > Kalle I found this in the destination of your link: Use lowercase throughout the shiro.ini file configuration If you want to use a shiro.ini configuration file, Is that to say that in 0.3.1 case insensitivity is the default behavior as long as you use lowercase in the shiro.ini file? Mark - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Tynamo Security and Tapestry case insensitive paths
Made a patch release yesterday with a fix, use 0.2.2 or 0.3.1, see http://tynamo.org/tapestry-security+guide Kalle On Fri, Feb 4, 2011 at 7:56 PM, Kalle Korhonen wrote: > Sorry for being a bit late to the party. Thanks Barry for reporting > and already proposing a patch. Yes, it really seems it's a feature of > Shiro. I do a find it a bit funny though (yes, I'm a Shiro committer > but haven't been on board from the beginning) that it's the default > behavior and that there's no configurable option to make it case > insensitive even if this is never an issue if your resource urls are > case sensitive. Regardless, Tapestry treating urls as case insensitive > makes this a bug in tapestry-security. Lowercasing all urls repeatedly > incurs a perfomance penalty, so I'll make this configurable (you may > have url normalizers etc. running in front of Tapestry app). I'll open > an issue against Shiro, but will have a fix for tapestry-security > available sooner than that. The turn-around time for modifying and > releasing tap-sec is quite a bit faster than for Shiro. And just a > note on annotations vs url matching - I always suggest using both if > you are serious about security. > > Kalle > > > On Fri, Feb 4, 2011 at 4:32 AM, Barry Books wrote: >> First I'd like to say the Tynamo-Security/Shiro package is great, but >> I've run into a simple problem I'm not sure how to solve. I don't >> think it's really a Tynamo problem but an interaction between how >> Shiro expects URLs to work and Tapestry case insensitive URLs. I was >> working on a simple site with an admin account and an admin directory >> so I added the following to the shiro.ini file: >> >> [urls] >> /admin/** = authc, roles[administrator] >> >> The problem is if you go to /Admin the authentication is bypassed >> because /admin != /Admin. I realize this is a feature but it does not >> seem very desirable. I also realize I could annotate all my admin >> pages and fix this but that's some amount of work and error prone. I >> looked thru the Shiro docs and I don't see anyway to do a case >> insensitive match. I thought I might be able to fix this with a >> URLRewriter and map /Admin to /admin but that does not seem to work >> either. >> >> Am I missing something? Is there any simple way to resolve this? >> >> Thanks >> Barry >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> For additional commands, e-mail: users-h...@tapestry.apache.org >> >> > - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Tynamo Security and Tapestry case insensitive paths
Sorry for being a bit late to the party. Thanks Barry for reporting and already proposing a patch. Yes, it really seems it's a feature of Shiro. I do a find it a bit funny though (yes, I'm a Shiro committer but haven't been on board from the beginning) that it's the default behavior and that there's no configurable option to make it case insensitive even if this is never an issue if your resource urls are case sensitive. Regardless, Tapestry treating urls as case insensitive makes this a bug in tapestry-security. Lowercasing all urls repeatedly incurs a perfomance penalty, so I'll make this configurable (you may have url normalizers etc. running in front of Tapestry app). I'll open an issue against Shiro, but will have a fix for tapestry-security available sooner than that. The turn-around time for modifying and releasing tap-sec is quite a bit faster than for Shiro. And just a note on annotations vs url matching - I always suggest using both if you are serious about security. Kalle On Fri, Feb 4, 2011 at 4:32 AM, Barry Books wrote: > First I'd like to say the Tynamo-Security/Shiro package is great, but > I've run into a simple problem I'm not sure how to solve. I don't > think it's really a Tynamo problem but an interaction between how > Shiro expects URLs to work and Tapestry case insensitive URLs. I was > working on a simple site with an admin account and an admin directory > so I added the following to the shiro.ini file: > > [urls] > /admin/** = authc, roles[administrator] > > The problem is if you go to /Admin the authentication is bypassed > because /admin != /Admin. I realize this is a feature but it does not > seem very desirable. I also realize I could annotate all my admin > pages and fix this but that's some amount of work and error prone. I > looked thru the Shiro docs and I don't see anyway to do a case > insensitive match. I thought I might be able to fix this with a > URLRewriter and map /Admin to /admin but that does not seem to work > either. > > Am I missing something? Is there any simple way to resolve this? > > Thanks > Barry > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Tynamo Security and Tapestry case insensitive paths
The problem is fixable in the Tynamo library so I filed a Jira and included a fix. http://jira.codehaus.org/browse/TYNAMO-75 - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Tynamo Security and Tapestry case insensitive paths
The fact that /aDmin, /Admin, /ADmin etc all work is exactly the problem. That makes the whole url protection mechanism useless and even worse it's not obvious it's not going to work. I just followed the example and it seemed to work. It's not really a big deal to add the annotations but in my case I've got more admin pages than non admin pages and if I forget one then that page is not protected. Plus one is compile time and the other is run time so I can't do something like [urls] /hibernate/** = authc, roles[developer] without recompiling the hibernate code. Again I realize this is all a feature, but when all the features are combined the result does not seem so good. >From looking at the code it seems Shiro is using the ServletRequest to get the URL. That seems reasonable. Perhaps the solution is to create a TapestryIniShiroFilter and do a case insensitive match there. - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: Tynamo Security and Tapestry case insensitive paths
Even if you map /Admin to /admin, wouldn't you also need to map /aDmin, /adMin, /admIn, /admiN, /ADmin, /aDMin, etc. ? Personally I just use the annotations, but I can see how that might be a bit difficult to retrofit into an application. Mark On Fri, Feb 4, 2011 at 6:32 AM, Barry Books wrote: > First I'd like to say the Tynamo-Security/Shiro package is great, but > I've run into a simple problem I'm not sure how to solve. I don't > think it's really a Tynamo problem but an interaction between how > Shiro expects URLs to work and Tapestry case insensitive URLs. I was > working on a simple site with an admin account and an admin directory > so I added the following to the shiro.ini file: > > [urls] > /admin/** = authc, roles[administrator] > > The problem is if you go to /Admin the authentication is bypassed > because /admin != /Admin. I realize this is a feature but it does not > seem very desirable. I also realize I could annotate all my admin > pages and fix this but that's some amount of work and error prone. I > looked thru the Shiro docs and I don't see anyway to do a case > insensitive match. I thought I might be able to fix this with a > URLRewriter and map /Admin to /admin but that does not seem to work > either. > > Am I missing something? Is there any simple way to resolve this? > > Thanks > Barry > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Tynamo Security and Tapestry case insensitive paths
First I'd like to say the Tynamo-Security/Shiro package is great, but I've run into a simple problem I'm not sure how to solve. I don't think it's really a Tynamo problem but an interaction between how Shiro expects URLs to work and Tapestry case insensitive URLs. I was working on a simple site with an admin account and an admin directory so I added the following to the shiro.ini file: [urls] /admin/** = authc, roles[administrator] The problem is if you go to /Admin the authentication is bypassed because /admin != /Admin. I realize this is a feature but it does not seem very desirable. I also realize I could annotate all my admin pages and fix this but that's some amount of work and error prone. I looked thru the Shiro docs and I don't see anyway to do a case insensitive match. I thought I might be able to fix this with a URLRewriter and map /Admin to /admin but that does not seem to work either. Am I missing something? Is there any simple way to resolve this? Thanks Barry - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org