Why don't you use Ant style expressions? As Acegi? I think it could be
clear enough for most people and if security projects use it to specify
security bindings why shouldn't Tapestry use it?
Something like:
<configuration GloballySafeAssets>
<asset path="/css/**/*" />
<asset path="*.js" />
</configuration>
<configuration UnprotectedAssets>
<unprotected-assets path="dojo/**/*" />
</configuration>
The nomenclature is not clear enough, IMO. I'd rather use ACCEPT / DENY and
provide some good defaults.
<configuration AssetsSecurity>
<accept path="*.js" />
<deny ... />
</configuration>
... something like that.
--
Ing. Leonardo Quijano Vincenzi
DTQ Software
Jesse Kuhnert wrote:
That is precisely what I'm trying to avoid, having to explicitly list each
and every unprotected asset. For something like dojo this just isn't a
reasonable way of doing it.
Ideally I'd like to see a solution that disallows mucking around with paths
to get access to things, and also has inuitive defaults. Like making
.css/.js/.html files unprotected by default. I'm always a fan of more
comlicated logic within the framework that allows the user to do as little
as possible to get up and running.
In that vein, maybe an easier solution would be 2 configuration points:
<configuration GloballySafeAssets>
<asset extension="css" />
<asset extension="js" />
<asset extension="html" />
<asset extension="htm" />
</configuration>
<configuration UnprotectedAssets>
<unprotected-assets path="/net/sf/tacos/ajax" />
</configuration>
This configuration would allow security logic to ensure proper paths AND
provide sensible defaults for unprotected resources, when people choose to
enable them.
Thoughts?
jesse
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
