Ouch. This is a CRITICAL issue. I have a "normal" tapestry application (5.1.0.5) without additional security checks and I can download anything from my Web-Inf directory. Property files, class files, everything. Also the tml files are accessible from the outside world.
So the ResourceDigestGenerator obiously doesn't protect the class or tml files for me here. I am currently thinking of taking the webapplication down as there is no way of securing passwords in this setting. Is there a workaround? Regards, Markus On Sat, Aug 15, 2009 at 5:54 AM, kartweel<r...@exemail.com.au> wrote: > > I thought the digest generator is meant to make a different digest for each > file, but it seems to be for the whole app?, or is that nnnnnnnn bit > something to do with app versioning for caching and what not and not the > digest?. This whole thread has some ideas for a white list approach to files > on the classpath, but I thought by now tapestry would have something out of > the box rather than a custom solution for it... I'm having a look into the > resourceDigestGenerator, but at the moment it isn't the highest thing on my > list. > > > Geoff Callender-2 wrote: >> >> Ouch, now I get it. WEB-INF and all its contents are in fact visible, >> directly below yourapp/assets/ctx/nnnnnnnnnnnnnnnn/, and it's not hard >> to find out the value of nnnnnnnnnnnnnnnn. >> >> Suggestions anyone? >> > > -- > View this message in context: > http://www.nabble.com/-T5--Security-of-files-in-the-classpath-tp11816097p24981387.html > Sent from the Tapestry - User mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
