tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Howard Lewis Ship <hls...@gmail.com>
Subject Re: PATCH: fix for asset service (branch-3-0 2005-03-16)
Date Mon, 21 Mar 2005 12:58:19 GMT
In a cluster, there's no guarantee that every request will be
processed by the same server.  Especially for the asset service, which
is not URL encoded (no session id is passed in the URL, though it may
come up in a cookie).

Therefore server A may render the page and read the spec, and server B
may receive the asset request and fail because it's not in your
registry of valid assets.

The correct approach is the one I developed for 3.1 and Paul back
ported to 3.0.3.  It's basic security ... you are allowed access if
you can prove that you should have access, by having a credential only
the server can provide.  The MD5 digest of the file can only be
generated by the server (which has the file), so that's a good
credential.


On Mon, 21 Mar 2005 11:22:35 +0100, David White <dw11610@onemail.at> wrote:
> On Mon, 2005-03-21 at 12:12 +0200, Mind Bridge wrote:
> > Hi,
> >
> > We have been thinking about that approach earlier, but it has a problem:
> > when the application is restarted, the pool will no longer contain the
> > asset, but its URL will be out there, on cached/bookmarked pages or the
> > like. If the asset is not tied to a page, which is possible as well as it
> > can be declared in code for example, it gets interesting too.
> >
> > In short, it is possible to receive "access denied" errors after a server
> > restart even though the asset is completely valid.
> 
> No, it isn't. If the server is restarted, the specification will have to
> be reloaded and rendered.
> 
> David WHITE
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org
> 
> 


-- 
Howard M. Lewis Ship
Independent J2EE / Open-Source Java Consultant
Creator, Jakarta Tapestry
Creator, Jakarta HiveMind

Professional Tapestry training, mentoring, support
and project work.  http://howardlewisship.com

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org


Mime
View raw message