On Thu, 08 Apr 2010 19:54:03 -0300, Howard Lewis Ship <[email protected]>
wrote:
In terms of a solution: simpler API, assume that most resources are
available unless explicitly told not to (i.e., .class and hibernate
properties files, etc.).
What should be available by default? My opinion, anything in the context,
except WEB-INF.
What should not be available by default? My opinion, anything in the
classpath.
Anyway, I think we shouldn't prevent users to define the availability of
not of a given URL/resource/whatever. There will always be scenarios where
some files of a type or location should be available or other not. That's
why I like the asset protection filter configured as a pipeline, each part
of it receiving an URL (better yet, a Request instance) to analyze.
Key things: some kind of check to prevent directory listings,
I think directory listings of virtual and classpath assets should be
denied, but listings of context folders should be configurable (denied os
default).
and
properly enforce the extra MD5 checksum for protected resources
(.class file, etc.).
+1
--
Thiago H. de Paula Figueiredo
Independent Java, Apache Tapestry 5 and Hibernate consultant, developer,
and instructor
Owner, software architect and developer, Ars Machina Tecnologia da
Informação Ltda.
http://www.arsmachina.com.br
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
