On Thu, Apr 8, 2010 at 5:11 PM, Thiago H. de Paula Figueiredo <[email protected]> wrote: > On Thu, 08 Apr 2010 19:54:03 -0300, Howard Lewis Ship <[email protected]> > wrote: > >> In terms of a solution: simpler API, assume that most resources are >> available unless explicitly told not to (i.e., .class and hibernate >> properties files, etc.). > > What should be available by default? My opinion, anything in the context, > except WEB-INF. > What should not be available by default? My opinion, anything in the > classpath.
And that's where I disagree; maybe any non .class file outside of a controlled package should be protected? If we remove the malicious user's ability to "hunt' for files and protect the ones that may be important (.class, etc.) then we're good. > > Anyway, I think we shouldn't prevent users to define the availability of not > of a given URL/resource/whatever. There will always be scenarios where some > files of a type or location should be available or other not. That's why I > like the asset protection filter configured as a pipeline, each part of it > receiving an URL (better yet, a Request instance) to analyze. > >> Key things: some kind of check to prevent directory listings, > > I think directory listings of virtual and classpath assets should be denied, > but listings of context folders should be configurable (denied os default). > >> and >> properly enforce the extra MD5 checksum for protected resources >> (.class file, etc.). > > +1 > > -- > Thiago H. de Paula Figueiredo > Independent Java, Apache Tapestry 5 and Hibernate consultant, developer, and > instructor > Owner, software architect and developer, Ars Machina Tecnologia da > Informação Ltda. > http://www.arsmachina.com.br > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Howard M. Lewis Ship Creator of Apache Tapestry The source for Tapestry training, mentoring and support. Contact me to learn how I can get you up and productive in Tapestry fast! (971) 678-5210 http://howardlewisship.com --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
