I don't understand why I should have to configure this. I have another tapestry 5.0.18 application which does not have this behaviour.
I have made the following contribution public static void contributeResourceDigestGenerator(Configuration<String> configuration) { configuration.add("class"); configuration.add("tml"); configuration.add("xml"); } Which seems to secure the correct files in: http://127.0.0.1:8080/assets/ But if accessed via the following url (extracted from page source) http://127.0.0.1:8080/assets/ctx/349b8e82ab9a007b/ I can still access whatever I please, .tml files etc. So in other words, the whole world can see the structure of the application and have a look at the template source code. Why is this happening? Any help is much appreciated. Regards, Daniel 王刚-4 wrote: > > You should configure the servlet container. Java Web Security is a > standard > part of the J2EE/JEE specification. There should be many resources on the > internet on that topic. > > On Tue, Jul 21, 2009 at 9:30 AM, Daniel Jones <d...@murieston.com> wrote: > >> >> Hi Howard, >> >> Thanks for the reply. How do I do that, is this tapestry specific or do >> I >> need to configure the servlet container (Jetty in my case). >> >> Regards, >> Daniel >> >> >> Howard Lewis Ship wrote: >> > >> > You can mark them as protected resources that require a CRC query >> > parameter to access. >> > >> > You are right, .tml files should be protected in this way, as should >> > hibernate XML files. >> > >> > On Mon, Jul 20, 2009 at 6:13 PM, Daniel Jones<d...@murieston.com> wrote: >> >> >> >> Hello, >> >> >> >> OK, so here is my problem. >> >> >> >> In my page template: >> >> ${asset:context:assets/images/layout/add.png} >> >> >> >> Tapestry generated URL to asset. >> >> >> >> >> http://127.0.0.1:8080/assets/ctx/c69b95ec1fef872d/assets/images/layout/add.png >> >> >> >> If I point my browser at: >> >> >> >> http://127.0.0.1:8080/assets/ctx/c69b95ec1fef872d/ >> >> >> >> I get a directory listing including my .tml files, I can download >> these >> >> in >> >> their raw form. If I point my browser at >> http://127.0.0.1:8080/assets/ >> >> I >> >> get a directory listing again, this time even more worrying as it >> >> contains >> >> my hibernate.cfg.xml which can be downloaded exposing the database >> >> username >> >> and password. >> >> >> >> How do I fix this. I used the maven archetype to build the project so >> >> the >> >> layout looks normal when compared with >> >> http://tapestry.apache.org/tapestry5/guide/project-layout.html >> >> >> >> What am I doing wrong? >> >> >> >> Any help is much appreciated. >> >> >> >> Regards, >> >> Daniel >> >> -- >> >> View this message in context: >> >> >> http://www.nabble.com/T5---Configuration-and-.tml-Files-are-Exposed-By-Tapestry.-tp24580195p24580195.html >> >> Sent from the Tapestry - User mailing list archive at Nabble.com. >> >> >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> >> For additional commands, e-mail: users-h...@tapestry.apache.org >> >> >> >> >> > >> > >> > >> > -- >> > Howard M. Lewis Ship >> > >> > Creator of Apache Tapestry >> > Director of Open Source Technology at Formos >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> > For additional commands, e-mail: users-h...@tapestry.apache.org >> > >> > >> > >> >> -- >> View this message in context: >> http://www.nabble.com/T5---Configuration-and-.tml-Files-are-Exposed-By-Tapestry.-tp24580195p24580323.html >> Sent from the Tapestry - User mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> For additional commands, e-mail: users-h...@tapestry.apache.org >> >> > > -- View this message in context: http://www.nabble.com/T5---Configuration-and-.tml-Files-are-Exposed-By-Tapestry.-tp24580195p24580961.html Sent from the Tapestry - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org