I've been doing some pretty massive refactoring of asset aggregation, to make it better, simpler and more secure. These changes are in a local branch of my laptop, but should show up in SVN pretty soon.
Classpath assets are now only exposed beneath a ClasspathAssetAliasManager mapping. Every LibraryMapping contributed to the ComponentClassResolver now creates an automatic contribution to ClasspathAssetAliasMananger. The /assets/ URL is now a more regular form: /assets/app-version/folder/path. app-version is the application version, then a folder (either a library name, "ctx", "stack", or "app"), then extra path to identify the actual resource under the virtual name. The old virtual asset system, the one that recorded a MIME string in the file name, is gone. I'm working on its replacement, which pulls in a stack. I've generalized ClientInfrastructure a bit, forming a new interface, JavascriptStack. JavascriptStack encapsulates a set of JS libraries, related stylesheets and some optional extra JS initialization. When JS is aggregated, a single URL (ex: /assets/app-version/stack/en/core.js) will pull down the combined JS files. Context assets are made available, but WEB-INF, META-INF and *.tml are expressly filtered out (i.e., 404). The end result is that the classpath is no longer wide open; only resources in packages mapped as libraries (including the application root package) will ever be visible, and most sensitive files will be elsewhere. I'm pretty happy with how it is all coming out. The eventual goal will be to allow for multiple stacks; this will allow, for example, a large library like Ext or YUI to download as a single unit. Should have this in SVN tomorrow-ish. -- Howard M. Lewis Ship Creator of Apache Tapestry The source for Tapestry training, mentoring and support. Contact me to learn how I can get you up and productive in Tapestry fast! (971) 678-5210 http://howardlewisship.com --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
