@Robert, thanks for releasing the 1.0.0 version. I added it, it seems to work OK, with a minor issue. I'm using 5.0.18, and when I try to access a resource that shouldn't be accessible, I get the following exception:
- org.apache.tapestry5.ioc.internal.OperationExceptionSymbol 'tapestry.blackbird.path' is not defined. trace - Realizing service RegexAuthorizer - Invoking com.saiwaisolutions.tapestry.services.RegexAuthorizer(Collection) (at RegexAuthorizer.java:29) via com.saiwaisolutions.tapestry.services.AssetProtectionModule.bind(ServiceBinder) (at AssetProtectionModule.java:19) - Collecting unordered configuration for service RegexAuthorizer - Invoking method com.saiwaisolutions.tapestry.services.AssetProtectionModule.contributeRegexAuthorizer(Configuration, String, String, String) (at AssetProtectionModule.java:49). - Determining injection value for parameter #3 (java.lang.String) - It seems like 5.1 defines this symbol out of the box, while 5.0.18 doesn't. Adding the symbol addresses the issue NICE WORK ! Cheers, Alex K On Wed, Aug 26, 2009 at 1:55 PM, Robert Zeigler <robe...@scazdl.org> wrote: > Try version 1.0.0, just released today. ;) > See my comment on issue 815 for the maven url, artifact id, etc. > > In any event, there's a framework solution in place already... it's just > that it's a blacklist-based solution instead of a whitelist-based solution. > Although whitelist-based security tends to be more secure, blacklisting has > its merits. For a webapp, for example, there's often a lot more that you > want accessible than otherwise (all of your .png, .jpg, .jpeg, .gif, .js, > .css files, for example). The solution I wrote allows for pattern-based > whitelisting, but that can be dangerous: it's awfully easy to write a > pattern that isn't as secure as you think it is. Anyway, just food for > thought... you can contribute to the framework as is and have it immediately > block access to dangerous resources for you. In fact, you could write a > standalone module that does nothing other than contribute your blacklist > preferences (eg: *.xml, *.class, etc.), then just add that module as a > dependency for any new project. *shrug* > > Robert > > > On Aug 26, 2009, at 8/261:21 AM , Alex Kotchnev wrote: > > Christian, >> you seem to indicate that there's an easy fix for this on the mailing >> list; however, the last discussion there is from around 2007; the module >> that Robert is referring to is out of date (e.g. referring to old package >> names, etc). Any other tips on addressing this ? >> >> I'm completely taken aback by such a gaping security hole in the >> framework. Considering that this issue has been known since 2007, I'm >> completely blown away that the framework doesn't provide a solution in T5 >> (not in T5.1). >> >> Cheers, >> >> Alex K >> >> On Tue, Aug 25, 2009 at 8:44 AM, Christian Riedel >> <christian-rie...@gmx.net>wrote: >> >> FYI you should (all) be aware of TAP-815*! Your assets** are readable for >>> everybody! >>> It is certainly not as critical as in some pages named in this thread*** >>> but in general it could cause some bad reputation for T5. >>> >>> Apart from that I just can say: nice work! ;) >>> >>> >>> *jira ticket: >>> https://issues.apache.org/jira/browse/TAP5-815 >>> >>> **example asset >>> http://ping-service.appspot.com/assets/META-INF/persistence.xml >>> >>> *** >>> >>> >>> http://www.nabble.com/-REQUEST--Live-T5-web-sites%2C-quotes%2C-marketting-ts23050433s302.html#a23054798 >>> >>> easy workaround: >>> >>> >>> http://www.nabble.com/-T5--Security-of-files-in-the-classpath-ts11816097s302.html#a11816097 >>> >>> >>> regards >>> christian >>> >>> >>> Dmitry Gusev schrieb: >>> >>> FYI >>> >>>> >>>> Here is the running t5 app: http://ping-service.appspot.com/ >>>> >>>> It uses T5.0.18 + Spring 3.0.0M4/JPA + Google >>>> Datastore/Mail/Cron/URLFetch/Google Accounts Security >>>> >>>> Works pretty well. >>>> >>>> I had to implement some hacks to develope with t5 on local dev server >>>> (t5 >>>> error page refuse to work properly there by default, but works ok in >>>> appengine cloud), here is the solution: >>>> >>>> >>>> >>>> http://dmitrygusev.blogspot.com/2009/08/turn-java-security-manager-off-in.html >>>> >>>> >>>> >>>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>> For additional commands, e-mail: users-h...@tapestry.apache.org >>> >>> >>> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > >