Yeah, it's starting to sound like that may be the case. I can always start it off accepting all normal html-ish resources by default, like css/js/images/etc..
Just trying to eliminate as many performance hits as possible. I'll have to re-think how I'm doing this. .. On 12/27/05, Jesse Kuhnert <[EMAIL PROTECTED]> wrote: > > Fair enough, so is providing a default configuration like this > acceptable?: > > <configuration foo> > <protected-resource contains="*.class" /> > <protected-resource contains="hibernate.*" /> > </configuration> > > ? > On 12/27/05, Leonardo Quijano Vincenzi <[EMAIL PROTECTED]> wrote: > > > > This can lead to awful security leaks where you write any kind of > > dangerous resource in the classpath and it gets exposed by Tapestry. > > > > hibernate.cfg.xml and hibernate.properties come to mind as examples of > > non class files which we don't want to get exposed! > > > > And they actually share extensions with possibly valid content > > (especially the xml). > > (And what if I want to share a class file as a web resource?) > > > > -- > > Ing. Leonardo Quijano Vincenzi > > DTQ Software > > > > > > > > Jesse Kuhnert wrote: > > > I'm re-working some form of security back into the AssetService but am > > > > > having a real hard time justifying making the protected resources > > concept a > > > configurable option. > > > > > > Specifically, all that I intend to do initially is protect all .class > > > resources. It feels very inefficient to imagine > > iterating/loooping/hash > > > lookup of incoming string values to the configured resources. I'm > > thinking > > > that maybe hard-coding (in some fashion) the .class extension logic > > may be a > > > better choice until someone presents a scenerio where they feel they > > need > > > more? > > > > > > This wouldn't/shouldn't have any affect on sharing global resources > > and > > > such, just trying to make the asset service as simple/streamlined as > > > possible. > > > > > > Thoughts are definitely welcome. > > > > > > jesse > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > >
