> Everyone is invited to contribute to the solution by posting all the ways we can have access to assets that shouldn't be available. ;)
@Thiago How about allowing absolutely nothing from the classpath/WEB-INF initially? Directory listing should also be disabled. When a page or component comes along that explicitly asks for an asset, then whitelist that asset before the markup is sent back to the browser. Then you put developers in control over what gets whitelisted. @Dmitry Sorry for hijacking your thread like this. Tapestry on GAE looks very interesting to me. I was wondering how long it takes for the first page to render after the application has just been deployed/suspended. If I'm not mistaken, GAE will have cleaned up your instance if it isn't being used much and will have to restart the application. Applications made up of servlets and JSPs will be running very quickly, but I guess a framework like Tapestry that has to initialize a lot of services might take a bit longer? regards, Onno