Hi Guys, Sorry to pull up an old thread, but there doesn't seem to be a lot about this topic. Was there ever a nice solution implemented for this? 2 years of tapestry framework development later and I can still download all my class files. I've restricted assets to "authenticated users" using a method like below, but I thought by now we wouldn't need to be adding custom solutions to manage this and it would be part of the core project??
Robert Zeigler wrote: > > I don't plan on changing the default configuration from whitelist to > blacklist... it's the fallback. > I'm a fan of "deny unless explicitly authorized", as well. The > AssetProtectionDispatcher > takes an ordered configuration of AssetPathAuthorizer's, with the > default whitelist implementation > being the "catch all" final authorizer in what amounts to a chain of > command. So you can certainly > contribute your own implementations of authorizer on top of the > default. Having a pattern matching > whitelist would certainly be useful; I'm in a time crunch at the > moment (and basically will be until the end of August), > but in the beginning of September, I will rework the default > WhitelistAuthorizer to accept url patterns. > > Robert > > On Aug 3, 2007, at 8/38:27 AM , Thiago H de Paula Figueiredo wrote: > >> On Fri, 03 Aug 2007 10:03:37 -0300, Francois Armand >> <farm...@linagora.com> wrote: >> >>> Thiago H de Paula Figueiredo wrote: >>>> Would a black list intead of a white list better? I suppose there >>>> are less files to hide than files to allow access. >>> Well, I think that one of the best principle in security is >>> "explicit authorization" : you just do not want that a >>> confidential file is accessible by error, because a user forgot to >>> hide it. >> >> That's a very good point. ;) >> >>> But I agree that the white list should authorize jokers to enable >>> "*.jpg" kind of filter (and if you name your confidential file >>> "picture_of_my_secret_weapon.jpg", well, to bad for you ;) >> >> Maybe we could allow any .jpg, .gif, .jpg and .css file by default >> and explicitly whitelist the rest. >> And no, I don't want to see the picture of your secret weapon, >> whatever it is. :P >> >> Thiago >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >> For additional commands, e-mail: users-h...@tapestry.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > > -- View this message in context: http://www.nabble.com/-T5--Security-of-files-in-the-classpath-tp11816097p24965558.html Sent from the Tapestry - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
