svn commit: r895005 - in /websites/production/tapestry/content: assets.html cache/main.pageCache security-faq.html
Author: buildbot Date: Tue Jan 21 20:20:49 2014 New Revision: 895005 Log: Production update by buildbot for tapestry Modified: websites/production/tapestry/content/assets.html websites/production/tapestry/content/cache/main.pageCache websites/production/tapestry/content/security-faq.html Modified: websites/production/tapestry/content/assets.html == --- websites/production/tapestry/content/assets.html (original) +++ websites/production/tapestry/content/assets.html Tue Jan 21 20:20:49 2014 @@ -95,7 +95,7 @@ Page: -Configuration +Layout Component @@ -104,7 +104,7 @@ Page: -Layout Component +JavaScript @@ -113,7 +113,7 @@ Page: -JavaScript +CSS @@ -122,7 +122,7 @@ Page: -CSS +Configuration @@ -160,91 +160,7 @@ private Asset style; The use of the ${...} syntax here is a symbol expansion (because it occurs in an annotation in Java code), rather than a template expansion (which occurs only in Tapestry template files). -An override of the skin.root symbol would affect all references to the named asset.Localization of AssetsMain Article: LocalizationAssets are localized; Tapestry will search for a variation of the file appropriate to the effective locale for the request. In the previous example, a German user of the application may see a file named edit_de.png (if such a file exists).New Asset DomainsIf you wish to create new domains for assets, for example to allow assets to be stored on the file system or in a database, you may define a new http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/services/AssetFactory.html";>AssetFactory and contribute it to the http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/services/AssetSour ce.html">AssetSource service configuration.Asset URLsTapestry creates a new URL for assets (whether context or classpath). The URL is of the form /assets/version/folder/path.version: Application version number, defined by the tapestry.application-version symbol in your application module (normally AppModule.java). The default is a random hex number.folder: Identifies the library containing the asset, or "ctx" for a context asset, or "stack" (used when combining multiple JavaScript files into a single virtual asset).path: The path below the root package of the library to the specific asset file.Performance NotesAssets are expected to be entirely static (not changing while the application is deployed). This allows Tapestry to perform some important pe rformance optimizations.Tapestry GZIP compresses the content of all assets – if the asset is compressible, the client supports it, and you don't explicitly disable it.When Tapestry generates a URL for an asset, either on the classpath or from the context, the URL includes the application version number. Further, the asset will get a far future expires header, which will encourage the client browser to cache the asset.You should have an explicit application version number for any production application. Client browsers will aggressively cache downloaded assets; they will usually not even send a request to see if the asset has changed once the asset is downloaded the first time. Because of this it is very important that each new deployment of your application has a new version number, to force existing clients to re-download all assets.Asset SecurityBecause Tapestry directly exposes files on the classpath to the clients, some thought has gone into ensuring that malicious clients are not able to download assets that should not be visible to them.First off all, there's a package limitation: classpath assets are only visible if there's a http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/services/LibraryMapping.html";>LibraryMapping for them, and the library mapping substitutes for the initial folders on the classpath. Since the most secure assets, things like hibernate.cfg.xml are located in the unnamed package, they are always off limits.But what about other files on the classpath? Imagine this scenario:Your Login page exposes a classpath asset, icon.png.A malicious client copies the URL, /assets/1.0.0/app/pages/icon.png,
svn commit: r895014 - in /websites/production/tapestry/content: cache/main.pageCache security.html
Author: buildbot Date: Tue Jan 21 21:20:49 2014 New Revision: 895014 Log: Production update by buildbot for tapestry Modified: websites/production/tapestry/content/cache/main.pageCache websites/production/tapestry/content/security.html Modified: websites/production/tapestry/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/tapestry/content/security.html == --- websites/production/tapestry/content/security.html (original) +++ websites/production/tapestry/content/security.html Tue Jan 21 21:20:49 2014 @@ -25,6 +25,14 @@ + + + + + + SyntaxHighlighter.defaults['toolbar'] = false; + SyntaxHighlighter.all(); + @@ -61,7 +69,7 @@ -Tapestry does not come with a built-in security implementation to avoid lock-in to a specific security framework. There are various Java security frameworks available, but the main two Java-based open source security frameworks are Apache Shiro (earlier JSecurity) and Spring Security (earlier Acegi Security). Spring Security is the more popular of the two (because of Spring's popularity), whereas Shiro is widely regarded as the more flexible choice. There are well-maintained Tapestry integration projects for both of these frameworks, http://tynamo.org/tapestry-security+guide"; >tapestry-security for Apache Shiro (from Tynamo.org) and http://www.localhost.nu/java/tapestry-spring-security"; >tapestry-spring-security for Spring Security. +Tapestry has a number of security features designed to harden your application against unwanted intrusion and denial of service. Related Articles @@ -77,7 +85,7 @@ Page: -HTTPS +Integrating with Spring Framework @@ -86,12 +94,38 @@ Page: -Integrating with Spring Framework +Security FAQ + + + + + +Page: + + +HTTPS -For tapestry-security (Shiro-based)http://tynamo.org/tynamo-federatedaccounts+guide"; >Tynamo-federatedaccounts Facebook etc. 3rd party authentication provider integrations, building on Tapestry-securityFor tapestry-spring-securityhttp://www.localhost.nu/java/tapestry-spring-security/conf.html"; >http://www.localhost.nu/java/tapestry-spring-security/conf.htmlTo include OpenID with Spring Security in your application, see the following Wiki entry:http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId";>http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId +HTTPS-only PagesMain Article: HTTPSTapestry provides several annotations and configuration settings that you can use to ensure that all access to certain pages–or all pages–occurs only via the encrypted HTTPS protocol. See HTTPS for details.Controlling Page Access +JumpStart Demo: +http://jumpstart.doublenegative.com.au/jumpstart/examples/infrastructure/protectingpages"; >Protecting PagesFor simple access control needs, you can contribute a http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/services/ComponentRequestFilter.html";>ComponentRequestFilter with your custom logic that decides which pages should be accessed by which users.For more advanced needs see the Security Framework Integration section below.White-listed PagesPages whose component classes are annotated with @http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/annotations/WhitelistAccessOnly.html";>WhitelistAccessOn ly will only be displayed to users (clients) that are on the whitelist. By default the whitelist consists only of clients whose fully-qualified domain name is "localhost" (or the IP address equivalent, 127.0.0.1 or 0:0:0:0:0:0:0:1), but you can customize this by contributing to the ClientWhitelist service in your application's module class (usually AppModule.java):AppModule.java (partial) – simple inline example + + Sometimes, in production, a firewall or pro
[CONF] Apache Tapestry > Security
Bob Harner edited the page: Security Comment: Added lots more information about Tapestry security features Tapestry has a number of security features designed to harden your application against unwanted intrusion and denial of service. Wiki Markup {float:right|background="" {contentbylabel:title=Related Articles|showLabels=false|showSpace=false|space=@self|labels=spring,security} {float} HTTPS-only Pages Main Article: HTTPS Tapestry provides several annotations and configuration settings that you can use to ensure that all access to certain pages–or all pages–occurs only via the encrypted HTTPS protocol. See HTTPS for details. Controlling Page Access Wiki Markup {float:right|background="" 1em} *JumpStart Demo:* [Protecting Pages|http://jumpstart.doublenegative.com.au/jumpstart/examples/infrastructure/protectingpages] {float} For simple access control needs, you can contribute a ComponentRequestFilter with your custom logic that decides which pages should be accessed by which users. For more advanced needs see the Security Framework Integration section below. White-listed Pages Pages whose component classes are annotated with @WhitelistAccessOnly will only be displayed to users (clients) that are on the whitelist. By default the whitelist consists only of clients whose fully-qualified domain name is "localhost" (or the IP address equivalent, 127.0.0.1 or 0:0:0:0:0:0:0:1), but you can customize this by contributing to the ClientWhitelist service in your application's module class (usually AppModule.java): Code Block
[CONF] Apache Tapestry > Assets
{footnote}Never create such back doors, of course!{footnote} (Never create such back doors, of course!) Fortunately, this can't happen. Files with extension ".class" are secured; they must be accompanied in the URL with a query parameter that is the MD5 hash of the file's contents. If the query parameter is absent, or doesn't match the actual file's content, the request is rejected.When your code exposes an Asset, the URL will automatically include the query parameter if the file type is secured. The malicious user is locked out of access to the files Bob Harner edited the page: Assets Comment: Resolved broken footnotes by making them parenthetical (unfortunately) ... Your Login page exposes a classpath asset, icon.png. A malicious client copies the URL, /assets/1.0.0/app/pages/icon.png , Wiki Markup {footnote}This would indicate that the Login page is actually inside a library, which is unlikely. More likely, {{icon.png}} is a context asset and the malicious user guessed the path for {{Login.class}} by looking at the Tapestry source code.{footnote} (which would indicate that the Login page is actually inside a library, which is unlikely. More likely, icon.png is a context asset and the malicious user guessed the path for Login.class by looking at the Tapestry source code.) and changes the file name to Login.class. The client decompiles the class file and spots your secret emergency password: goodbye security! Wiki Markup Wiki Markup {footnote}Unless they already have the files so that they can generate the MD5 checksum ... to get access to the files they already have.{footnote} . . (Unless they already have the files so that they can generate the MD5 checksum ... to get access to the files they already have.) By default, Tapestry secures file extensions ".class', ".tml" and ".properties". The list can be extended by contributing to the ResourceDigestGenerator service: ...
[CONF] Apache Tapestry > Security FAQ
Bob Harner edited the page: Security FAQ Comment: Added Related Articles box Wiki Markup {scrollbar} Security FAQ Wiki Markup {float:right|background="" {contentbylabel:title=Related Articles|showLabels=false|showSpace=false|space=@self|labels=security} {float} The built-in PageCatalog and ServiceStatus pages are visible in my production application and I don't want them to be, what can I do? ... Sometimes, in production, a firewall or proxy may make it look like the client web browser originates from localhost; in that situation, you may want to disable the logic that puts localhost onto the whitelist. This determination is made by the contributions to the ClientWhitelist service. Tapestry makes a contribution with id "LocalhostOnly", which one of your modules can override: Code Block @Contribute(ClientWhitelist.class) public static void turnOffLocalhostInProduction(OrderedConfiguration configuration, @Symbol(SymbolConstants.PRODUCTION_MODE) boolean productionMode) { if (productionMode) { configuration.override("LocalhostOnly", null); } } ... View Online · Like · View Changes
[CONF] Apache Tapestry > Security FAQ
Bob Harner removed a comment from the page: Security FAQ Added security label Stop watching space · Manage Notifications This message was sent by Atlassian Confluence 5.0.3, Team Collaboration Software
svn commit: r894982 - in /websites/production/tapestry/content: cache/main.pageCache community.html
Author: buildbot Date: Tue Jan 21 16:20:52 2014 New Revision: 894982 Log: Production update by buildbot for tapestry Modified: websites/production/tapestry/content/cache/main.pageCache websites/production/tapestry/content/community.html Modified: websites/production/tapestry/content/cache/main.pageCache == Binary files - no diff available. Modified: websites/production/tapestry/content/community.html == --- websites/production/tapestry/content/community.html (original) +++ websites/production/tapestry/content/community.html Tue Jan 21 16:20:52 2014 @@ -61,169 +61,25 @@ -Tapestry has an active community of users and developers. This is an overview of how to participate, along with a list of some of the great contributions of the community members. +Tapestry has an active community of users and developers. This is an overview of how to participate, along with a list of some of the great contributions of the community members./*/**/ +/*]]>*/ Getting Involved Reporting Problems / Getting SupportContributing translations for Tapestry built-in messagesSource Code AccessBecoming a ContributorBecoming a Committer Community Contributions Modules ExtensionsTutorialsIDE Integrations - - - -Getting Involved - -Reporting Problems / Getting Support - -Like all Apache projects, Tapestry uses mailing lists for most communication. You can subscribe by sending e-mail to the addresses below. For each list, there are subscribe, unsubscribe, and archive links. All Tapestry users are welcome to subscribe to any of these lists, however questions on how to use Tapestry in your application are best sent to the user mailing list. - -Please note that the Nabble archives are set to read-only and don't allow for posting or answering using Nabble's web interface. You have to subscribe to the mailing list in order to post. - - Subscribe Unsubscribe Apache Archive Nabble Archive MarkMail Archive Tapestry User List mailto:users-subscr...@tapestry.apache.org"; >Subscribe mailto:users-unsubscr...@tapestry.apache.org"; >Unsubscribe http://mail-archives.apache.org/mod_mbox/tapestry-users/";>mail-archives.apache.org http://tapestry.1045711.n5.nabble.com/Tapestry-User-f2375125.html"; >www.nabble.com http://tapestry.markmail.org/search/?q=list%3Aorg.apache.tapestry.users"; >tapestry.markmail.org Tapestry Developer List mailto:dev-subscr...@tapestry.apache.org"; >Subscribe mailto:dev-unsubscr...@tapestry.apache.org"; >Unsubscribe http://mail-archives.apache.org/mod_mbox/tapestry-dev/";>mail-archives.apache.org http://tapestry.1045711.n5.nabble.com/Tapestry-Dev-f2438278.html"; >www.nabble.com http://tapestry.markmail.org/search/?q=list%3Aorg.apache.tapestry.dev"; >tapestry.markmail.org Tapestry Commits List mailto:commits-subscr...@tapestry.apache.org"; >Subscribe mailto:commits-unsubscr...@tapestry.apache.org"; >Unsubscribe http://mail-archives.apache.org/mod_mbox/tapestry-commits/";>mail-archives.apache.org - http://tapestry.markmail.org/search/?q=list%3Aorg.apache.tapestry.commits"; >tapestry.markmail.org Search Multiple Lists - - - http://tapestry.1045711.n5.nabble.com/"; >www.nabble.com tapestry.markmail.org - -Tapestry issues are tracked in the https://issues.apache.org/jira/browse/TAP5";>Apache JIRA. - -Unless your problem is clear as day, it's a good idea to discuss it on the Tapestry Users mailing list first, before adding an issue. At the same time, it's generally unlikely that a bug will be fixed unless a JIRA Issue is created. - -Eric Raymond has a detailed http://catb.org/esr/faqs/smart-questions.html"; >guide to asking questions the right way. If you are not getting a response to your problem, it's likely because you aren't asking it the right way. - -Just saying something is "broken" or "failed" is not enough. How did it fail? Did it do the wrong thing? Throw an exception? Not respond in any way? What exactly did you expect to happen? All of this information should be made available when looking for help, plus context on the general problem you were trying to solve in the first place (there may be a better solution entirely). Read Eric Raymond's guide ... it's fun and informative. - -Contributing translations for Tapestry built-in messages - -If Tapestry's built-in messages aren't available in your language, you are welcome to contribute a new translation of the message catalogs. For easy inst
[CONF] Apache Tapestry > Community
Bob Harner edited the page: Community Comment: Endorsed Eclipse-tapestry5-plugin over Tapestry Tools Tapestry has an active community of users and developers. This is an overview of how to participate, along with a list of some of the great contributions of the community members. Table of Contents Getting Involved Reporting Problems / Getting Support Include Page Mailing Lists Tapestry issues are tracked in the Apache JIRA. ... Access using Git client: No Format $ git clone http://git-wip-us.apache.org/repos/asf/tapestry-5.git ... Section
svn commit: r894980 - /websites/production/tapestry/content/styles/style.css
Author: bobharner Date: Tue Jan 21 15:50:40 2014 New Revision: 894980 Log: Another cosmetic issues with bulleted lists in Related Articles boxes caused by Confluence upgrade Modified: websites/production/tapestry/content/styles/style.css Modified: websites/production/tapestry/content/styles/style.css == --- websites/production/tapestry/content/styles/style.css (original) +++ websites/production/tapestry/content/styles/style.css Tue Jan 21 15:50:40 2014 @@ -225,7 +225,7 @@ a.blogDate { #content .navmenu TABLE { width: auto !important } DIV.navmenu { margin-left: 1em !important; padding-left: 1em !important; } -UL.content-by-label { padding: 1em 1em 1em 0; list-style: none; } +#content UL.content-by-label { padding: 1em 1em 1em 0; list-style: none; } UL.content-by-label>li:first-child { margin-top: 0; } UL.content-by-label>li { overflow: auto; margin-top: 7px; } UL.content-by-label>li DIV { display: inline; }
svn commit: r894979 - /websites/production/tapestry/content/styles/style.css
Author: bobharner Date: Tue Jan 21 15:46:33 2014 New Revision: 894979 Log: Fixed cosmetic issues with bulleted lists in Related Articles boxes caused by Confluence upgrade Modified: websites/production/tapestry/content/styles/style.css Modified: websites/production/tapestry/content/styles/style.css == --- websites/production/tapestry/content/styles/style.css (original) +++ websites/production/tapestry/content/styles/style.css Tue Jan 21 15:46:33 2014 @@ -224,7 +224,11 @@ a.blogDate { } #content .navmenu TABLE { width: auto !important } -DIV.navmenu { margin-left: 1em !important; } +DIV.navmenu { margin-left: 1em !important; padding-left: 1em !important; } +UL.content-by-label { padding: 1em 1em 1em 0; list-style: none; } +UL.content-by-label>li:first-child { margin-top: 0; } +UL.content-by-label>li { overflow: auto; margin-top: 7px; } +UL.content-by-label>li DIV { display: inline; } #top p { margin: 0; }