tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Taylor <DavidVTay...@cox.net>
Subject Re: PATCH: fix for asset service (branch-3-0 2005-03-16)
Date Mon, 21 Mar 2005 21:47:15 GMT
Interesting point regarding cached pages. Unfortunately, Howard's 
approach also has a similar problem when assets are updated at runtime 
changing their hash value. As luck would have it, one of my applications 
uses (abuses?) the asset service to serve JPEG images from a database. 
Whenever an image is replaced in the database its hash value changes. 
This is particularly troublesome since the application makes heavy use 
of remote scripting (i.e. AJAX) and is not easily refreshed..

My solution to the problem was to abandon the asset service for that 
part of the application. I am currently building a new resource 
management service that uses a declarative security mechanism to grant 
access to resources. Using this approach I can limit access to a list of 
named resources, those in specified "folders" or those matching a 
regular expression. The first version is targeted at Tapestry 3.0.2 
since that is what I currently have in production. Ideally I would like 
to make this more generalized and extensible to support more resource 
locations (i.e. file system, classpath, database, dynamically 
generated...). Some sort of namespace specifier might also be in order 
to keep these logically separate.

David


Mind Bridge wrote:

>Hi,
>
>We have been thinking about that approach earlier, but it has a problem:
>when the application is restarted, the pool will no longer contain the
>asset, but its URL will be out there, on cached/bookmarked pages or the
>like. If the asset is not tied to a page, which is possible as well as it
>can be declared in code for example, it gets interesting too.
>
>In short, it is possible to receive "access denied" errors after a server
>restart even though the asset is completely valid. Howard's patch is a
>solution that covers the general case and is always valid. We just need to
>make sure that the absolute path of the asset (case insensitive in some
>cases) is used as a key for the checksum to ensure that there is no DoS
>possibility.
>
>
>----- Original Message ----- 
>From: "David White" <dw11610@onemail.at>
>To: <tapestry-dev@jakarta.apache.org>
>Sent: Monday, March 21, 2005 11:52 AM
>Subject: PATCH: fix for asset service (branch-3-0 2005-03-16)
>
>
>  
>
>>So, here is the diff from branch-3-0 as of 2005-03-16.
>>
>>The basic idea is to enter the path to PrivateAssets into the engine's
>>Pool when the PrivateAsset is rendered. Instead of simply using the path
>>provided by the user, the AssetService looks up the given path in the
>>Pool to see if it has been "declared" in a page or component
>>specification. If the path has not been pooled, the request is treated
>>as a request for a missing resource.
>>
>>Thinking about this matter carefully, I think I can see some real use
>>cases for MD5 content validation; consider ExternalAssets. It would be
>>nice to know that the URL is still pointing to the desired content, and
>>some mischievious person hasn't copied tubgirl.jpg over the URL's
>>referent. So a good solution would permit MD5 hashing for some
>>resources, but not require it for all assets.
>>
>>Questions? Comments?
>>
>>Thanks,
>>
>>David WHITE
>>
>>-- 
>>Index: framework/src/org/apache/tapestry/asset/AssetService.java
>>===================================================================
>>RCS
>>file:
>>    
>>
>/home/cvspublic/jakarta-tapestry/framework/src/org/apache/tapestry/asset/Att
>ic/AssetService.java,v
>  
>
>>retrieving revision 1.8
>>diff -r1.8 AssetService.java
>>28a29
>>    
>>
>>>import org.apache.tapestry.IEngine;
>>>      
>>>
>>140,147c141,151
>><         String resourcePath = (String) parameters[0];
>><
>><         URL resourceURL =
>>cycle.getEngine().getResourceResolver().getResource(resourcePath);
>><
>><         if (resourceURL == null)
>><             throw new ApplicationRuntimeException(
>><                 Tapestry.format("missing-resource", resourcePath));
>><
>>---
>>    
>>
>>>        IEngine theEngine = cycle.getEngine();
>>>        String resourceHandle = (String) parameters[0];
>>>        String resourcePath =
>>>      
>>>
>>(String)theEngine.getPool().retrieve(resourceHandle);
>>    
>>
>>>        URL resourceURL = resourcePath != null ?
>>>
>>>      
>>>
>>theEngine.getResourceResolver().getResource(resourcePath) :
>>    
>>
>>>                              null;
>>>
>>>        if (resourcePath == null || resourceURL == null)
>>>                      throw new ApplicationRuntimeException(
>>>
>>>      
>>>
>>Tapestry.format("missing-resource", resourceHandle));
>>    
>>
>>Index: framework/src/org/apache/tapestry/asset/PrivateAsset.java
>>===================================================================
>>RCS
>>file:
>>    
>>
>/home/cvspublic/jakarta-tapestry/framework/src/org/apache/tapestry/asset/Att
>ic/PrivateAsset.java,v
>  
>
>>retrieving revision 1.7
>>diff -r1.7 PrivateAsset.java
>>20a21
>>    
>>
>>>import org.apache.tapestry.IEngine;
>>>      
>>>
>>73a75,76
>>    
>>
>>>        IEngine engine = cycle.getEngine();
>>>        engine.getPool().store(path,path);
>>>      
>>>
>>-- 
>>David White <dw11610@onemail.at>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org
>>
>>
>>    
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org
>
>
>  
>

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org


Mime
View raw message