Repository: tapestry-5 Updated Branches: refs/heads/master 9d68c7468 -> 11c7d88f6
TAP5-2601: Add configurable service to block access to classpath assets Project: http://git-wip-us.apache.org/repos/asf/tapestry-5/repo Commit: http://git-wip-us.apache.org/repos/asf/tapestry-5/commit/11c7d88f Tree: http://git-wip-us.apache.org/repos/asf/tapestry-5/tree/11c7d88f Diff: http://git-wip-us.apache.org/repos/asf/tapestry-5/diff/11c7d88f Branch: refs/heads/master Commit: 11c7d88f632db7482186813f4a446bc280ec7264 Parents: 9d68c74 Author: Thiago H. de Paula Figueiredo <[email protected]> Authored: Fri Nov 23 16:58:33 2018 -0200 Committer: Thiago H. de Paula Figueiredo <[email protected]> Committed: Fri Nov 23 16:58:33 2018 -0200 ---------------------------------------------------------------------- 54_RELEASE_NOTES.md | 12 +++++++++++- 55_RELEASE_NOTES.md | 13 ++++++++++++- 2 files changed, 23 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/11c7d88f/54_RELEASE_NOTES.md ---------------------------------------------------------------------- diff --git a/54_RELEASE_NOTES.md b/54_RELEASE_NOTES.md index 4f1cd54..40bd9e1 100644 --- a/54_RELEASE_NOTES.md +++ b/54_RELEASE_NOTES.md @@ -82,6 +82,16 @@ It is now possible to control, for each JavaScript Stack, how that stack treats The default is to aggregate the libraries and minimize them, but there are now options to aggregate them without minimizing, or to leave them as individual files (neither aggregating, nor minimizing). +# Classpath asset protection (introduced in 5.4.4) +A new service, `ClasspathAssetProtectionRule`, which receives contributions of `ClasspathAssetProtectionRule` +instances, was created to you can easily add rules to block requests to classpath assets according to your +security needs. + +Three rules are added out-of-the-box and may be overriden: +* `ClassFile`: blocks access to assets with `.class` endings (case insensitive). +* `PropertiesFile`: blocks access to assets with `.properties` endings (case insensitive). +* `XMLFile`: blocks access to assets with `.xml` endings (case insensitive). + ## FormGroup Mixin This new mixin for Field components adds the outer `<div class="form-group">` and `<label>` elements for a Field @@ -498,4 +508,4 @@ interfaces that used a String content type have been changed to use the ContentT The FormInjector component was removed; it was intended for use only inside the AjaxFormLoop component (which was rewritten in 5.4 and no longer uses FormInjector). FormInjector was not widely used elsewhere, if -it was used at all. +it was used at all. \ No newline at end of file http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/11c7d88f/55_RELEASE_NOTES.md ---------------------------------------------------------------------- diff --git a/55_RELEASE_NOTES.md b/55_RELEASE_NOTES.md index d4e65e4..3dd11bd 100644 --- a/55_RELEASE_NOTES.md +++ b/55_RELEASE_NOTES.md @@ -3,5 +3,16 @@ Scratch pad for changes destined for the 5.5 release notes page. # Java 8 required The minimum Java release required to run apps created with Tapestry 5.5 is Java 8. +# Java 8, 9, 10 and 11 supported + # Updates to embedded Tomcat and Jetty versions (TAP5-2548) -With Java 8, we made the switch to servlet-api 3.0. We updated the embedded Tomcat and Jetty containers to the respective versions. Unfortunately, we had to rename Jetty7Runner to JettyRunner and Tomcat6Runner to TomcatRunner in the tapestry-runner package. \ No newline at end of file +With Java 8, we made the switch to servlet-api 3.0. We updated the embedded Tomcat and Jetty containers to the respective versions. Unfortunately, we had to rename Jetty7Runner to JettyRunner and Tomcat6Runner to TomcatRunner in the tapestry-runner package. + +# Classpath asset protection (actually added in 5.4.4) +A new service, `ClasspathAssetProtectionRule`, which receives contributions of `ClasspathAssetProtectionRule` +instances, was created to you can easily add rules to block requests to classpath assets according to your +security needs. Three rules are added +out-of-the-box and may be overriden: +* `ClassFile`: blocks access to assets with `.class` endings (case insensitive). +* `PropertiesFile`: blocks access to assets with `.properties` endings (case insensitive). +* `XMLFile`: blocks access to assets with `.xml` endings (case insensitive). \ No newline at end of file
