> Everyone is invited to contribute to the solution by posting all the ways
we can have access to assets that shouldn't be available. ;)

@Thiago
How about allowing absolutely nothing from the classpath/WEB-INF initially?
Directory listing should also be disabled.
When a page or component comes along that explicitly asks for an asset, then
whitelist that asset before the markup is sent back to the browser. Then you
put developers in control over what gets whitelisted.


@Dmitry
Sorry for hijacking your thread like this. Tapestry on GAE looks very
interesting to me.
I was wondering how long it takes for the first page to render after the
application has just been deployed/suspended. If I'm not mistaken, GAE will
have cleaned up your instance if it isn't being used much and will have to
restart the application.
Applications made up of servlets and JSPs will be running very quickly, but
I guess a framework like Tapestry that has to initialize a lot of services
might take a bit longer?


regards,

Onno

Reply via email to