@Robert,
thanks for releasing the 1.0.0 version. I added it, it seems to work OK,
with a minor issue. I'm using 5.0.18, and when I try to access a resource
that shouldn't be accessible, I get the following exception:
- org.apache.tapestry5.ioc.internal.OperationExceptionSymbol
'tapestry.blackbird.path' is not defined.
trace
- Realizing service RegexAuthorizer
- Invoking
com.saiwaisolutions.tapestry.services.RegexAuthorizer(Collection) (at
RegexAuthorizer.java:29) via
com.saiwaisolutions.tapestry.services.AssetProtectionModule.bind(ServiceBinder)
(at AssetProtectionModule.java:19)
- Collecting unordered configuration for service RegexAuthorizer
- Invoking method
com.saiwaisolutions.tapestry.services.AssetProtectionModule.contributeRegexAuthorizer(Configuration,
String, String, String) (at AssetProtectionModule.java:49).
- Determining injection value for parameter #3 (java.lang.String)
-
It seems like 5.1 defines this symbol out of the box, while 5.0.18
doesn't. Adding the symbol addresses the issue
NICE WORK !
Cheers,
Alex K
On Wed, Aug 26, 2009 at 1:55 PM, Robert Zeigler <robe...@scazdl.org> wrote:
> Try version 1.0.0, just released today. ;)
> See my comment on issue 815 for the maven url, artifact id, etc.
>
> In any event, there's a framework solution in place already... it's just
> that it's a blacklist-based solution instead of a whitelist-based solution.
> Although whitelist-based security tends to be more secure, blacklisting has
> its merits. For a webapp, for example, there's often a lot more that you
> want accessible than otherwise (all of your .png, .jpg, .jpeg, .gif, .js,
> .css files, for example). The solution I wrote allows for pattern-based
> whitelisting, but that can be dangerous: it's awfully easy to write a
> pattern that isn't as secure as you think it is. Anyway, just food for
> thought... you can contribute to the framework as is and have it immediately
> block access to dangerous resources for you. In fact, you could write a
> standalone module that does nothing other than contribute your blacklist
> preferences (eg: *.xml, *.class, etc.), then just add that module as a
> dependency for any new project. *shrug*
>
> Robert
>
>
> On Aug 26, 2009, at 8/261:21 AM , Alex Kotchnev wrote:
>
> Christian,
>> you seem to indicate that there's an easy fix for this on the mailing
>> list; however, the last discussion there is from around 2007; the module
>> that Robert is referring to is out of date (e.g. referring to old package
>> names, etc). Any other tips on addressing this ?
>>
>> I'm completely taken aback by such a gaping security hole in the
>> framework. Considering that this issue has been known since 2007, I'm
>> completely blown away that the framework doesn't provide a solution in T5
>> (not in T5.1).
>>
>> Cheers,
>>
>> Alex K
>>
>> On Tue, Aug 25, 2009 at 8:44 AM, Christian Riedel
>> <christian-rie...@gmx.net>wrote:
>>
>> FYI you should (all) be aware of TAP-815*! Your assets** are readable for
>>> everybody!
>>> It is certainly not as critical as in some pages named in this thread***
>>> but in general it could cause some bad reputation for T5.
>>>
>>> Apart from that I just can say: nice work! ;)
>>>
>>>
>>> *jira ticket:
>>> https://issues.apache.org/jira/browse/TAP5-815
>>>
>>> **example asset
>>> http://ping-service.appspot.com/assets/META-INF/persistence.xml
>>>
>>> ***
>>>
>>>
>>> http://www.nabble.com/-REQUEST--Live-T5-web-sites%2C-quotes%2C-marketting-ts23050433s302.html#a23054798
>>>
>>> easy workaround:
>>>
>>>
>>> http://www.nabble.com/-T5--Security-of-files-in-the-classpath-ts11816097s302.html#a11816097
>>>
>>>
>>> regards
>>> christian
>>>
>>>
>>> Dmitry Gusev schrieb:
>>>
>>> FYI
>>>
>>>>
>>>> Here is the running t5 app: http://ping-service.appspot.com/
>>>>
>>>> It uses T5.0.18 + Spring 3.0.0M4/JPA + Google
>>>> Datastore/Mail/Cron/URLFetch/Google Accounts Security
>>>>
>>>> Works pretty well.
>>>>
>>>> I had to implement some hacks to develope with t5 on local dev server
>>>> (t5
>>>> error page refuse to work properly there by default, but works ok in
>>>> appengine cloud), here is the solution:
>>>>
>>>>
>>>>
>>>> http://dmitrygusev.blogspot.com/2009/08/turn-java-security-manager-off-in.html
>>>>
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>>> For additional commands, e-mail: users-h...@tapestry.apache.org
>>>
>>>
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: users-h...@tapestry.apache.org
>
>
