Hi Marcelo,
AssetProtectionDispatcher is functioning correctly. It's intended
purpose is to protect "asset" files, which are typically on the
classpath.
Tapestry passes control for static files directly to the servlet
container, and AssetProtectionDispatcher also ignores urls that don't
have the asset prefix. With a bit of work, though, I could probably
switch from using a Dispatcher to a RequestFilter, contributed before
tapestry's default filter, and achieve the same result. If there's
sufficient interest in a solution based around a RequestFilter, I'll
consider rewriting the protection around said scheme.
Cheers,
Robert
On Dec 7, 2007, at 12/76:59 AM , Marcelo Lotif wrote:
Robert,
I pretty understand what your component does, but some things are
not really
clear for me.
I'd created a new 5.0.5 project called "testBlock" to test your
component.
When i put the dependency on pom.xml, It blocks the access to the
"testBlock/assets/" url. Alright, but if i put a file "file.xyz" on
the
src/main/webapp (same path of favicon.ico, for example) i still can
access
this file by the url "testBlock/file.xyz", as well as i can access the
favicon.ico. If i create a directory called "xyz" on src/main/webapp
and put
the "file.xyz" inside it, i still can access this file by the url
"testBlock/xyz/file.xyz" and if i type "testBlock/xyz" i will have
the list
of files inside that path, what is worse.
My question is: this is the right behavior? it should authorize
these paths
or block everything(since it is based on a white-list mechanism)? I
am doing
something wrong or unexpected creating a directory under src/main/
webapp?
Thanks for the attention!
2007/11/28, Robert Zeigler <[EMAIL PROTECTED]>:
Something seems to be missing. :)
Maybe the module isn't being properly auto-loaded?
Ah... another possibility is tapestry version... what version of
tapestry are you using? At the moment, I'm still on 5.0.5 (hope to
switch to 5.0.6 sometime in the near future).
Robert
On Nov 28, 2007, at 11/2810:58 AM , Marcelo Lotif wrote:
ok, looks like i made it wrong
In a previous thread, you said that this component requires "zero
configuration", so i just put a dependency on my pom.xml, but it's
still
just like before (i.e i still can access, let's say, a 'file.xyz'
inside my
app).
am i missing something?
2007/11/28, Robert Zeigler <[EMAIL PROTECTED]>:
The dispatcher, itself, blocks nothing.
It delegates to the authorizers. The last authorizer in the chain
is a
whitelist, which whitelists
each of the (known) tapestry assets. I would be curious to know
what
resources you were able to access.
Robert
On Nov 28, 2007, at 11/289:31 AM , Marcelo Lotif wrote:
Hi Robert,
I try this component here, but many things are still available.
What
specifically this dispatcher blocks by default?
2007/11/27, Robert Zeigler <[EMAIL PROTECTED]>:
Hi All,
I've updated AssetProtectionDispatcher both in Tassel (
http://www.tapestrycomponents.org
) and in the maven repo mentioned in the
AssetProtectionDispatcher
"notes" on Tassel. Current version is now 0.0.3.
The new version includes updated default entries to the
WhitelistAuthorizer to handle some tapestry assets that weren't
properly handled before. It also includes a new RegexAuthorizer
that
takes an ordered list of regular expressions (as strings; yes,
the
service will pre-compile them to patterns) to match against. If a
resource matches a provided regex, access to the asset is
allowed.
Otherwise, authorization falls through to the whitelist
authorizer.
The default configuration contains NO contributions to the regex
authorizer at the moment. For most projects, a contribution
along
the
lines of:
contributeRegexAuthorizer(Configuration<String> conf) {
conf.add("^.*\\.png$");
conf.add("^.*\\.jpg$");
conf.add("^.*\\.jpeg$");
conf.add("^.*\\.js$");
conf.add("^.*\\.css$");
}
is probably prudent.
Cheers,
Robert
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Atenciosamente,
Marcelo Lotif
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Atenciosamente,
Marcelo Lotif
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Atenciosamente,
Marcelo Lotif
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
