Ah, right... blackbird was introduced in 5.1.
I could probably check for the symbol in the module and provide it if
it doesn't otherwise exist.
Robert
On Aug 27, 2009, at 8/2712:44 AM , Alex Kotchnev wrote:
@Robert,
thanks for releasing the 1.0.0 version. I added it, it seems to
work OK,
with a minor issue. I'm using 5.0.18, and when I try to access a
resource
that shouldn't be accessible, I get the following exception:
- org.apache.tapestry5.ioc.internal.OperationExceptionSymbol
'tapestry.blackbird.path' is not defined.
trace
- Realizing service RegexAuthorizer
- Invoking
com.saiwaisolutions.tapestry.services.RegexAuthorizer(Collection) (at
RegexAuthorizer.java:29) via
com
.saiwaisolutions
.tapestry.services.AssetProtectionModule.bind(ServiceBinder)
(at AssetProtectionModule.java:19)
- Collecting unordered configuration for service RegexAuthorizer
- Invoking method
com
.saiwaisolutions
.tapestry
.services
.AssetProtectionModule.contributeRegexAuthorizer(Configuration,
String, String, String) (at AssetProtectionModule.java:49).
- Determining injection value for parameter #3 (java.lang.String)
-
It seems like 5.1 defines this symbol out of the box, while 5.0.18
doesn't. Adding the symbol addresses the issue
NICE WORK !
Cheers,
Alex K
On Wed, Aug 26, 2009 at 1:55 PM, Robert Zeigler <robe...@scazdl.org>
wrote:
Try version 1.0.0, just released today. ;)
See my comment on issue 815 for the maven url, artifact id, etc.
In any event, there's a framework solution in place already... it's
just
that it's a blacklist-based solution instead of a whitelist-based
solution.
Although whitelist-based security tends to be more secure,
blacklisting has
its merits. For a webapp, for example, there's often a lot more
that you
want accessible than otherwise (all of
your .png, .jpg, .jpeg, .gif, .js,
.css files, for example). The solution I wrote allows for pattern-
based
whitelisting, but that can be dangerous: it's awfully easy to write a
pattern that isn't as secure as you think it is. Anyway, just food
for
thought... you can contribute to the framework as is and have it
immediately
block access to dangerous resources for you. In fact, you could
write a
standalone module that does nothing other than contribute your
blacklist
preferences (eg: *.xml, *.class, etc.), then just add that module
as a
dependency for any new project. *shrug*
Robert
On Aug 26, 2009, at 8/261:21 AM , Alex Kotchnev wrote:
Christian,
you seem to indicate that there's an easy fix for this on the
mailing
list; however, the last discussion there is from around 2007; the
module
that Robert is referring to is out of date (e.g. referring to old
package
names, etc). Any other tips on addressing this ?
I'm completely taken aback by such a gaping security hole in the
framework. Considering that this issue has been known since 2007,
I'm
completely blown away that the framework doesn't provide a
solution in T5
(not in T5.1).
Cheers,
Alex K
On Tue, Aug 25, 2009 at 8:44 AM, Christian Riedel
<christian-rie...@gmx.net>wrote:
FYI you should (all) be aware of TAP-815*! Your assets** are
readable for
everybody!
It is certainly not as critical as in some pages named in this
thread***
but in general it could cause some bad reputation for T5.
Apart from that I just can say: nice work! ;)
*jira ticket:
https://issues.apache.org/jira/browse/TAP5-815
**example asset
http://ping-service.appspot.com/assets/META-INF/persistence.xml
***
http://www.nabble.com/-REQUEST--Live-T5-web-sites%2C-quotes%2C-marketting-ts23050433s302.html#a23054798
easy workaround:
http://www.nabble.com/-T5--Security-of-files-in-the-classpath-ts11816097s302.html#a11816097
regards
christian
Dmitry Gusev schrieb:
FYI
Here is the running t5 app: http://ping-service.appspot.com/
It uses T5.0.18 + Spring 3.0.0M4/JPA + Google
Datastore/Mail/Cron/URLFetch/Google Accounts Security
Works pretty well.
I had to implement some hacks to develope with t5 on local dev
server
(t5
error page refuse to work properly there by default, but works
ok in
appengine cloud), here is the solution:
http://dmitrygusev.blogspot.com/2009/08/turn-java-security-manager-off-in.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
