tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bob Harner (Confluence)" <conflue...@apache.org>
Subject [CONF] Apache Tapestry > Security
Date Tue, 21 Jan 2014 20:41:00 GMT
<html>
    <head>
        <meta name="viewport" content="width=device-width" />
        <base href="https://cwiki.apache.org/confluence" />
        <style type="text/css">
    body, #email-content, #email-content-inner { font-family: Arial,FreeSans,Helvetica,sans-serif;
}
    body, p, blockquote, pre, code, td, th, li, dt, dd { font-size: 13px; }
    small { font-size: 11px; }

    body { width:100% !important; -webkit-font-smoothing: antialiased; }

    body,
    #email-wrapper { background-color: #f0f0f0; }
    #email-wrapper-inner { padding: 20px; text-align: center; }
    #email-content-inner { background-color: #fff; border: 1px solid #bbb; color: $menuTxtColour;
padding:20px; text-align:left; }
    #email-wrapper-inner > table { width: 100%; }
    #email-wrapper-inner.thin > table { margin: 0 auto; width: 50%; }
    #email-footer { padding: 0 16px 32px 16px; margin: 0; }

    .email-indent { margin: 8px 0 16px 0; }
    .email-comment { margin: 0 0 0 56px; }
    .email-comment.removed { background-color: #ffe7e7; border: 1px solid #df9898; padding:
0 8px;}

    #email-title-avatar { text-align: left; vertical-align: top; width: 48px; padding-right:
8px; }
    #email-title-flavor { margin: 0; padding: 0 0 4px 0; }
    #email-title-heading { font-size: 16px; line-height: 20px; min-height: 20px; margin: 0;
padding: 0; }
    #email-title .icon { border: 0; padding: 0 5px 0 0; text-align: left; vertical-align:
middle; }

    #email-actions { border-top: 1px solid #bbb; color: #505050; margin: 8px 0 0 0; padding:
0; }
    #email-actions td { padding-top: 8px; }
    #email-actions .left { max-width: 45%; text-align: left; }
    #email-actions .right { text-align: right; }
    .email-reply-divider { border-top: 1px solid #bbb; color: #505050; margin: 32px 0 8px
0; padding: 8px 0; }
    .email-section-title { border-bottom: 1px solid #bbb; margin: 8px 0; padding: 8px 0 0
0; }

    .email-metadata { color: #505050; }

    a { color: #326ca6; text-decoration: none; }
    a:hover { color: #336ca6; text-decoration: underline; }
    a:active {color: #326ca6; }

    a.email-footer-link { color: #505050; font-size: 11px; }

    .email-item-list { list-style: none; margin: 4px 0; padding-left: 0; }
    .email-item-list li { list-style: none; margin: 0; padding: 4px 0; }
    .email-list-divider { color: #505050; padding: 0 0.35em; }
    .email-operation-icon { padding-right: 5px; }

    .avatar { -ms-interpolation-mode: bicubic; border-radius: 3px;}
    .avatar-link { margin: 2px; }

    .tableview th { border-bottom: 1px solid #69C; font-weight: bold; text-align: left; }
    .tableview td { border-bottom: 1px solid #bbbbbb; text-align: left; padding: 4px 16px
4px 0; }

    .aui-message {  margin: 1em 0; padding: 8px; }
    .aui-message.info { background-color: #e0f0ff; border: 1px solid #9eb6d4; }
    .aui-message.success { background-color: #ddfade; border: 1px solid #93c49f; }
    .aui-message.error,
    .aui-message.removed { background-color: #ffe7e7; border: 1px solid #df9898; color: #000;
}

    .call-to-action-table { margin: 10px 1px 1px 1px;}
    .call-to-cancel-container, .call-to-action-container { padding: 5px 20px; }
    .call-to-cancel-container { border: 1px solid #aaa; background-color: #eee; border-radius:
3px; }
    .call-to-cancel-container a.call-to-cancel-button { background-color: #eee; font-size:
14px; line-height: 1; padding: 0; margin: 0; color: #666; font-family: sans-serif;}
    .call-to-action-container { border: 1px solid #486582;  background-color: #3068A2; border-radius:
3px; padding: 4px 10px; }
    .call-to-action-container a.call-to-action-button { background-color: #3068A2; font-size:
14px; line-height: 1; padding: 0; margin: 0; color: #fff; font-weight: bold; font-family:
sans-serif; }

    /** The span around the inline task checkbox image */
    .diff-inline-task-overlay {
        display: inline-block;
        text-align: center;
        height: 1.5em;
        padding: 5px 0px 1px 5px;
        margin-right: 5px;
        /** Unfortunately, the negative margin-left is stripped out in gmail */
        margin-left: -5px;
    }

            @media handheld, only screen and (max-device-width: 480px) {
        div, a, p, td, th, li, dt, dd { -webkit-text-size-adjust: auto; }
        small, small a { -webkit-text-size-adjust: 90%; }

        td[id=email-wrapper-inner] { padding: 2px !important; }
        td[id=email-content-inner] { padding: 8px !important; }
        td[id="email-wrapper-inner"][class="thin"] > table { text-align: left !important;
width: 100% !important; }
        td[id=email-footer] { padding: 8px 12px !important; }
        div[class=email-indent] { margin: 8px 0px !important; }
        div[class=email-comment] { margin: 0 !important; }

        p[id=email-title-flavor] a { display: block; } /* puts the username and the action
on separate lines */
        p[id=email-permalink] { padding: 4px 0 0 0 !important; }

        table[id=email-actions] td { padding-top: 0 !important; }
        table[id=email-actions] td.right { text-align: right !important; }
        table[id=email-actions] .email-list-item { display: block; margin: 1em 0 !important;
word-wrap: normal !important; }
        span[class=email-list-divider] { display: none; }
    }



        </style>
    </head>
    <body style="font-family: Arial, FreeSans, Helvetica, sans-serif; font-size: 13px;
width: 100%; -webkit-font-smoothing: antialiased; background-color: #f0f0f0">
        <table id="email-wrapper" width="100%" cellspacing="0" cellpadding="0" border="0"
style="background-color: #f0f0f0">
            <tbody>
                <tr valign="middle">
                    <td id="email-wrapper-inner" style="font-size: 13px; padding: 20px;
text-align: center">
                        <table id="email-content" cellspacing="0" cellpadding="0" border="0"
style="font-family: Arial, FreeSans, Helvetica, sans-serif; width: 100%">
                            <tbody>
                                <tr valign="top">
                                    <td id="email-content-inner" align="left" style="font-family:
Arial, FreeSans, Helvetica, sans-serif; font-size: 13px; background-color: #fff; border: 1px
solid #bbb; padding: 20px; text-align: left">
                                        <table id="email-title" cellpadding="0" cellspacing="0"
border="0" width="100%">
                                            <tbody>
                                                <tr>
                                                    <td id="email-title-avatar" rowspan="2"
style="font-size: 13px; text-align: left; vertical-align: top; width: 48px; padding-right:
8px"> <img class="avatar" src="cid:avatar_3e887652b12fb11536f684df760c7805" border="0"
height="48" width="48" style="-ms-interpolation-mode: bicubic; border-radius: 3px" /> </td>
                                                    <td valign="top" style="font-size:
13px">
                                                        <div id="email-title-flavor" class="email-metadata"
style="margin: 0; padding: 0 0 4px 0; color: #505050">
                                                            <a href="    https://cwiki.apache.org/confluence/display/~bobharner
" style="color:#326ca6;text-decoration:none;; color: #326ca6; text-decoration: none">Bob
Harner</a> edited the page:
                                                        </div> </td>
                                                </tr>
                                                <tr>
                                                    <td valign="top" style="font-size:
13px"> <h2 id="email-title-heading" style="font-size: 16px; line-height: 20px; min-height:
20px; margin: 0; padding: 0"> <a href="https://cwiki.apache.org/confluence/display/TAPESTRY/Security"
style="color: #326ca6; text-decoration: none"> <img class="icon" src="cid:page-icon"
alt="" style="border: 0; padding: 0 5px 0 0; text-align: left; vertical-align: middle" />
<strong style="font-size:16px;line-height:20px;vertical-align:top;">Security</strong>
</a> </h2> </td>
                                                </tr>
                                            </tbody>
                                        </table>
                                        <div class="email-indent" style="margin: 8px 0
16px 0">
                                            <p class="aui-message info" style="font-size:
13px; margin: 1em 0; padding: 8px; background-color: #e0f0ff; border: 1px solid #9eb6d4">
<b>Comment:</b> Added lots more information about Tapestry security features </p>
                                            <div class="email-diff">
                                                <div id="page-diffs" class="wiki-content">
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px">Tapestry <span class="diff-html-added" id="added-diff-0" style="font-size:
100%; background-color: #ddfade;">has a number of security features designed to harden
your application against unwanted intrusion and denial of service.</span> </p>
                                                    <table class="diff-macro diff-html-added
diff-block-target diff-block-context" style="background-color: #f0f0f0;border: 1px solid #dddddd;margin:
10px 1px;padding: 0 2px 2px;width: 100%;background-color: #ddfade;border-color: #93c49f;">
                                                        <thead>
                                                            <tr>
                                                                <th class="diff-macro-title"
style="background-color: transparent; text-align: left; font-weight: normal;padding: 5px;;
font-size: 13px"><span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;"><span class="icon macro-placeholder-icon" style="background-color: ;line-height:
20px;"><img src="https://cwiki.apache.org/confluence/s/en_GB-1988229788/4109/76e0dbb30bc8580e459c201f3535d84f9283a9ac.1/_/images/icons/macrobrowser/macro-placeholder-default.png"
style="padding-right: 5px; vertical-align: text-bottom;" /> </span>Wiki Markup</span></th>
                                                            </tr>
                                                        </thead>
                                                        <tbody>
                                                            <tr>
                                                                <td class="diff-macro-body"
style="background-color: #fff;border: 1px solid #dddddd;padding: 10px;; font-size: 13px">
<pre style="font-size: 13px">
<span class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">{float:right|background=#eee}
{contentbylabel:title=Related Articles|showLabels=false|showSpace=false|space=@self|labels=spring,security}
{float}</span>
</pre> </td>
                                                            </tr>
                                                        </tbody>
                                                    </table>
                                                    <h2 id="Security-HTTPS-onlyPages" class="diff-block-target
diff-block-context"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">HTTPS-only Pages</span> </h2>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">Main Article: </span><a class="confluence-link unresolved" href="#"
style="color: #326ca6; text-decoration: none"><span class="diff-html-added" style="font-size:
100%; background-color: #ddfade;">HTTPS</span></a> </p>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">Tapestry provides several annotations and configuration settings that you can
use to&nbsp;</span><span style="text-align: justify;line-height: 1.4285715;"><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">ensure that
all access to certain pages–or all pages–occurs only via the encrypted HTTPS protocol</span></span><span
style="text-align: justify;line-height: 1.4285715;"><span class="diff-html-added" style="font-size:
100%; background-color: #ddfade;">. See&nbsp;</span><a class="confluence-link
unresolved" href="#" style="color: #326ca6; text-decoration: none"><span class="diff-html-added"
style="font-size: 100%; background-color: #ddfade;">HTTPS</span></a><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;"> for details.</span></span>
</p>
                                                    <h2 id="Security-ControllingPageAccess"
class="diff-block-target diff-block-context"> <span style="text-align: justify;line-height:
1.4285715;"><span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">Controlling Page Access</span></span> </h2>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span style="text-align: justify;line-height: 1.4285715;"><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">&nbsp;</span></span>
</p>
                                                    <table class="diff-macro diff-html-added
diff-block-target diff-block-context" style="background-color: #f0f0f0;border: 1px solid #dddddd;margin:
10px 1px;padding: 0 2px 2px;width: 100%;background-color: #ddfade;border-color: #93c49f;">
                                                        <thead>
                                                            <tr>
                                                                <th class="diff-macro-title"
style="background-color: transparent; text-align: left; font-weight: normal;padding: 5px;;
font-size: 13px"><span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;"><span class="icon macro-placeholder-icon" style="background-color: ;line-height:
20px;"><img src="https://cwiki.apache.org/confluence/s/en_GB-1988229788/4109/76e0dbb30bc8580e459c201f3535d84f9283a9ac.1/_/images/icons/macrobrowser/macro-placeholder-default.png"
style="padding-right: 5px; vertical-align: text-bottom;" /> </span>Wiki Markup</span></th>
                                                            </tr>
                                                        </thead>
                                                        <tbody>
                                                            <tr>
                                                                <td class="diff-macro-body"
style="background-color: #fff;border: 1px solid #dddddd;padding: 10px;; font-size: 13px">
<pre style="font-size: 13px">
<span class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">{float:right|background=#eee|padding=0
1em}
    *JumpStart Demo:*
    [Protecting Pages|http://jumpstart.doublenegative.com.au/jumpstart/examples/infrastructure/protectingpages]
{float}</span>
</pre> </td>
                                                            </tr>
                                                        </tbody>
                                                    </table>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span style="text-align: justify;line-height: 1.4285715;"><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">For simple
access control needs, you can contribute a&nbsp;</span><span><a href="http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/services/ComponentRequestFilter.html"
class="external-link" rel="nofollow" style="color: #326ca6; text-decoration: none"><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">ComponentRequestFilter</span></a><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;"> with your
custom logic that decides which pages should be accessed by which users.</span></span></span>
</p>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span style="line-height: 1.4285715;text-align: justify;"><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">For more advanced
needs see the Security Framework Integration section below.</span></span> </p>
                                                    <h2 id="Security-White-listedPages"
class="diff-block-target diff-block-context"> <span class="diff-html-added" style="font-size:
100%; background-color: #ddfade;">White-listed Pages</span> </h2>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">Pages whose component classes are annotated with&nbsp;@</span><a
href="http://tapestry.apache.org/current/apidocs/org/apache/tapestry5/annotations/WhitelistAccessOnly.html"
class="external-link" rel="nofollow" style="color: #326ca6; text-decoration: none"><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">WhitelistAccessOnly</span></a><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">&nbsp;will
only be displayed to users (clients) that are on the&nbsp;</span><em><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">whitelist</span></em><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">. By default
the whitelist consists only of clients whose fully-qualified domain name is &quot;localhost&quot;
(or the IP address equivalent, 127.0.0.1 or 0:0:0:0:0:0:0:1),&nbsp;but you can customize
this by contributing to the ClientWhitelist service&nbsp;in your application's module
class (usually AppModule.java):</span> </p>
                                                    <table class="diff-macro diff-html-added
diff-block-target diff-block-context" style="background-color: #f0f0f0;border: 1px solid #dddddd;margin:
10px 1px;padding: 0 2px 2px;width: 100%;background-color: #ddfade;border-color: #93c49f;">
                                                        <thead>
                                                            <tr>
                                                                <th class="diff-macro-title"
style="background-color: transparent; text-align: left; font-weight: normal;padding: 5px;;
font-size: 13px"><span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;"><span class="icon macro-placeholder-icon" style="background-color: ;line-height:
20px;"><img src="https://cwiki.apache.org/confluence/s/en_GB-1988229788/4109/76e0dbb30bc8580e459c201f3535d84f9283a9ac.1/_/plugins/servlet/confluence/placeholder/macro-icon?name=code"
style="padding-right: 5px; vertical-align: text-bottom;" /> </span>Code Block</span></th>
                                                            </tr>
                                                        </thead>
                                                        <tbody>
                                                            <tr>
                                                                <td class="diff-macro-properties"
style="background-color: #fafafa; padding: 0 0 0 5px; font-size: 12px; text-align: left;padding:
0; border: 1px solid #dddddd;; font-size: 13px">
                                                                    <table>
                                                                        <tbody>
                                                                            <tr>
                                                                                <td style="background-color:
#fafafa; padding: 0 0 0 5px; font-size: 12px; text-align: left;; font-size: 13px"><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">title</span></td>
                                                                                <td style="background-color:
#fafafa; padding: 0 0 0 5px; font-size: 12px; text-align: left;; font-size: 13px"><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">AppModule.java
(partial) -- simple inline example</span></td>
                                                                            </tr>
                                                                            <tr>
                                                                                <td style="background-color:
#fafafa; padding: 0 0 0 5px; font-size: 12px; text-align: left;; font-size: 13px"><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">language</span></td>
                                                                                <td style="background-color:
#fafafa; padding: 0 0 0 5px; font-size: 12px; text-align: left;; font-size: 13px"><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">java</span></td>
                                                                            </tr>
                                                                        </tbody>
                                                                    </table> </td>
                                                            </tr>
                                                        </tbody>
                                                        <tbody>
                                                            <tr>
                                                                <td class="diff-macro-body"
style="background-color: #fff;border: 1px solid #dddddd;padding: 10px;; font-size: 13px">
<pre style="font-size: 13px">
<span class="diff-html-added" style="font-size: 100%; background-color: #ddfade;"> 
  @Contribute(ClientWhitelist.class)
    public static void provideWhitelistAnalyzer(OrderedConfiguration&lt;WhitelistAnalyzer&gt;
configuration)
    {
        configuration.add(&quot;FooAnalyzer&quot;, new WhitelistAnalyzer()
        {
            public boolean isRequestOnWhitelist(Request request)
            {
                // add your custom logic here and return true or false
                return true;
            }
        }, &quot;before:*&quot;);
    }</span>
</pre> </td>
                                                            </tr>
                                                        </tbody>
                                                    </table>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">&nbsp;</span> </p>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">Sometimes, in production, a firewall or proxy may make it look like the client
web browser originates from localhost, with the consequence that whitelisted pages may be
visible to all users. See the&nbsp;</span><a href="/confluence/display/TAPESTRY/Security"
style="color: #326ca6; text-decoration: none"><span class="diff-html-added" style="font-size:
100%; background-color: #ddfade;">Security FAQ</span></a><span class="diff-html-added"
style="font-size: 100%; background-color: #ddfade;"> for how to deal with this.</span>
</p>
                                                    <h2 id="Security-AssetSecurity" class="diff-block-target
diff-block-context"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">Asset Security</span> </h2>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">Main Article:&nbsp;</span><a class="confluence-link unresolved"
href="#" style="color: #326ca6; text-decoration: none"><span class="diff-html-added"
style="font-size: 100%; background-color: #ddfade;">Assets</span></a> </p>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">Tapestry serves assets (static content such as CSS files, images, and JavaScript,
many of which are on the classpath alongside your compiled class files) to the client.&nbsp;Because
of this, great care has gone into ensuring that certain file types cannot be served to the
client. By default, file ending with &quot;.class', &quot;.tml&quot; and &quot;.properties&quot;
can be served to the client only if the request includes the file's MD5 checksum. As you would
expect, that blacklist can be extended. See&nbsp;</span><a class="confluence-link
unresolved" href="#" style="color: #326ca6; text-decoration: none"><span class="diff-html-added"
style="font-size: 100%; background-color: #ddfade;">Asset Security</span></a><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;"> for more information.</span>
</p>
                                                    <h2 id="Security-ProtectingSerializedObjectDataontheClient"
class="diff-block-target diff-block-context"> <span class="diff-html-added" style="font-size:
100%; background-color: #ddfade;">Protecting Serialized Object Data on the Client</span>
</h2>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span style="color: rgb(0,0,0);"><span class="diff-html-added"
style="font-size: 100%; background-color: #ddfade;">As of version 5.3.6, Tapestry integrates
a&nbsp;</span></span><a class="external-link" href="http://en.wikipedia.org/wiki/HMAC"
style="text-decoration: underline;text-align: justify;; color: #326ca6; text-decoration: none"
rel="nofollow"><span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">hash-based message authentication code</span></a><span style="color:
rgb(0,0,0);"><span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">&nbsp;(HMAC) into serialized Java object data that it sends to the client
(generally, this means the&nbsp;</span></span><code style="text-align:
justify;; font-size: 13px"><span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">t:formdata</span></code><span style="color: rgb(0,0,0);"><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">&nbsp;hidden
field used by the Form component). This ensures that the hidden binary object data is guaranteed
to be unaltered when it returns to the server upon form (or AJAX) submission. The HMAC pass
phrase is set using the&nbsp;</span><a class="confluence-link unresolved" href="#"
style="color: #326ca6; text-decoration: none"><span class="diff-html-added" style="font-size:
100%; background-color: #ddfade;">tapestry.hmac-passphrase</span></a><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;"> configuration
symbol. If you don't set that value, you'll see a warning message in the browser, like this:&nbsp;</span></span>
</p>
                                                    <table class="diff-macro diff-html-added
diff-block-target diff-block-context" style="background-color: #f0f0f0;border: 1px solid #dddddd;margin:
10px 1px;padding: 0 2px 2px;width: 100%;background-color: #ddfade;border-color: #93c49f;">
                                                        <thead>
                                                            <tr>
                                                                <th class="diff-macro-title"
style="background-color: transparent; text-align: left; font-weight: normal;padding: 5px;;
font-size: 13px"><span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;"><span class="icon macro-placeholder-icon" style="background-color: ;line-height:
20px;"><img src="https://cwiki.apache.org/confluence/s/en_GB-1988229788/4109/76e0dbb30bc8580e459c201f3535d84f9283a9ac.1/_/images/icons/macrobrowser/dropdown/noformat.png"
style="padding-right: 5px; vertical-align: text-bottom;" /> </span>No Format</span></th>
                                                            </tr>
                                                        </thead>
                                                        <tbody>
                                                            <tr>
                                                                <td class="diff-macro-body"
style="background-color: #fff;border: 1px solid #dddddd;padding: 10px;; font-size: 13px">
<pre style="font-size: 13px">
<span class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">The
symbol 'tapestry.hmac-passphrase' has not been configured. This is used to configure hash-based
message authentication of Tapestry data stored in forms, or in the URL. You application is
less secure, and more vulnerable to denial-of-service attacks, when this symbol is not configured.</span>
</pre> </td>
                                                            </tr>
                                                        </tbody>
                                                    </table>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span style="color: rgb(0,0,0);"><span class="diff-html-added"
style="font-size: 100%; background-color: #ddfade;">The solution is to set the tapestry.hmac-passphrase
to some value (any fixed, private string, such as 30 to 40 random-looking characters, will
do) in your application's module class (usually AppModule.java).</span></span>
</p>
                                                    <h2 id="Security-CrossSiteRequestForgery(CSRF)"
class="diff-block-target diff-block-context"> <span style="color: rgb(83,145,38);font-size:
20.0px;line-height: 1.5;"><span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">Cross Site Request Forgery (CSRF)</span></span> </h2>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">Cross Site Request Forgery is a type of security vulnerability in which legitimate,
authorized users may be made to unwittingly submit malicious requests to your web application.</span>
</p>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <a href="https://github.com/porscheinformatik/tapestry-csrf-protection"
class="external-link" rel="nofollow" style="color: #326ca6; text-decoration: none"><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">Tapestry-csrf-protection</span></a><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">&nbsp;is
a 3rd party module that has several features for preventing CSRF attacks. It protects all&nbsp;</span><span><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">component event
handlers (event links, forms, etc.) by adding a&nbsp;</span></span><span><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">CSRF token
to event links and adds a CSRF token as a hidden field to all forms.&nbsp;</span></span><span><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">Tokens are
generated on a per-session basis.</span></span> </p>
                                                    <h2 id="Security-SecurityFrameworkIntegration"
class="diff-block-target diff-block-context"> <span style="line-height: 1.5;"><span
class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">Security Framework
Integration</span></span> </h2>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">Tapestry </span>does not come with a built-in <span class="diff-html-removed"
id="removed-diff-0" style="font-size: 100%; background-color: #ffe7e7; text-decoration: line-through;">security
implementation </span><span class="diff-html-added" id="added-diff-1" style="font-size:
100%; background-color: #ddfade;">authentication/authorization mechanism, </span>to
avoid lock-in to a specific <span class="diff-html-removed" id="removed-diff-1" style="font-size:
100%; background-color: #ffe7e7; text-decoration: line-through;">security framework</span><span
class="diff-html-added" id="added-diff-2" style="font-size: 100%; background-color: #ddfade;">implementation</span>.
There are various Java security frameworks available, but the main two Java-based open source
security frameworks are Apache Shiro (earlier JSecurity) and Spring Security (earlier Acegi
Security). Spring Security is the more popular of the two (because of Spring's popularity),
whereas Shiro is widely regarded as the more flexible choice. There are well-maintained Tapestry
integration projects for both of these frameworks,<span class="diff-html-added" id="added-diff-3"
style="font-size: 100%; background-color: #ddfade;">&nbsp;</span><strong><a
href="http://tynamo.org/tapestry-security+guide" class="external-link" rel="nofollow" style="color:
#326ca6; text-decoration: none">tapestry-security</a></strong><span class="diff-html-removed"
style="font-size: 100%; background-color: #ffe7e7; text-decoration: line-through;"> </span><span
class="diff-html-removed" id="removed-diff-2" style="font-size: 100%; background-color: #ffe7e7;
text-decoration: line-through;">for </span><span class="diff-html-added" id="added-diff-4"
style="font-size: 100%; background-color: #ddfade;">&nbsp;for </span>Apache Shiro
(from Tynamo.org) <span class="diff-html-removed" id="removed-diff-3" style="font-size:
100%; background-color: #ffe7e7; text-decoration: line-through;">and </span><span
class="diff-html-added" id="added-diff-5" style="font-size: 100%; background-color: #ddfade;">and&nbsp;</span><strong><a
href="http://www.localhost.nu/java/tapestry-spring-security" class="external-link" rel="nofollow"
style="color: #326ca6; text-decoration: none">tapestry-spring-security</a></strong><span
class="diff-html-removed" style="font-size: 100%; background-color: #ffe7e7; text-decoration:
line-through;"> </span><span class="diff-html-removed" id="removed-diff-4" style="font-size:
100%; background-color: #ffe7e7; text-decoration: line-through;">for </span><span
class="diff-html-added" id="added-diff-6" style="font-size: 100%; background-color: #ddfade;">&nbsp;for
</span>Spring Security.</p>
                                                    <table class="diff-macro diff-html-removed
diff-block-target diff-block-context" style="background-color: #f0f0f0;border: 1px solid #dddddd;margin:
10px 1px;padding: 0 2px 2px;width: 100%;background-color: #ffe7e7;border-color: #df9898;">
                                                        <thead>
                                                            <tr>
                                                                <th class="diff-macro-title"
style="background-color: transparent; text-align: left; font-weight: normal;padding: 5px;;
font-size: 13px"><span class="diff-html-removed" id="removed-diff-5" style="font-size:
100%; background-color: #ffe7e7; text-decoration: line-through;"><span class="icon macro-placeholder-icon"
style="background-color: ;line-height: 20px;"><img src="https://cwiki.apache.org/confluence/s/en_GB-1988229788/4109/76e0dbb30bc8580e459c201f3535d84f9283a9ac.1/_/images/icons/macrobrowser/macro-placeholder-default.png"
style="padding-right: 5px; vertical-align: text-bottom;" /> </span>Wiki Markup</span></th>
                                                            </tr>
                                                        </thead>
                                                        <tbody>
                                                            <tr>
                                                                <td class="diff-macro-body"
style="background-color: #fff;border: 1px solid #dddddd;padding: 10px;; font-size: 13px">
<pre style="font-size: 13px">
<span class="diff-html-removed" style="font-size: 100%; background-color: #ffe7e7; text-decoration:
line-through;">{float:right|background=#eee}
{contentbylabel:title=Related Articles|showLabels=false|showSpace=false|space=@self|labels=spring,security}
{float}</span>
</pre> </td>
                                                            </tr>
                                                        </tbody>
                                                    </table>
                                                    <p class="diff-block-context" style="font-size:
13px">For tapestry-security (Shiro-based)</p>
                                                    <p class="diff-context-placeholder"
style="font-size: 13px">...</p>
                                                </div>
                                            </div>
                                        </div>
                                        <table id="email-actions" class="email-metadata"
cellspacing="0" cellpadding="0" border="0" width="100%" style="border-top: 1px solid #bbb;
color: #505050; margin: 8px 0 0 0; padding: 0; color: #505050">
                                            <tbody>
                                                <tr>
                                                    <td class="left" valign="top" style="font-size:
13px; padding-top: 8px; max-width: 45%; text-align: left"> <span class="email-list-item"><a
href="https://cwiki.apache.org/confluence/display/TAPESTRY/Security" style="color: #326ca6;
text-decoration: none">View Online</a> </span> <span class="email-list-divider"
style="color: #505050; padding: 0 0.350em">&middot;</span> <span class="email-list-item"><a
href="https://cwiki.apache.org/confluence/plugins/likes/like.action?contentId=24192055" style="color:
#326ca6; text-decoration: none">Like</a> </span> <span class="email-list-divider"
style="color: #505050; padding: 0 0.350em">&middot;</span> <span class="email-list-item"><a
href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=24192055&amp;revisedVersion=12&amp;originalVersion=11"
style="color: #326ca6; text-decoration: none">View Changes</a> </span> </td>
                                                    <td class="right" width="50%" valign="top"
style="font-size: 13px; padding-top: 8px; text-align: right"> <span class="email-list-item"><a
href="https://cwiki.apache.org/confluence/users/removespacenotification.action?spaceKey=TAPESTRY"
style="color: #326ca6; text-decoration: none">Stop watching space</a> </span>
<span class="email-list-divider" style="color: #505050; padding: 0 0.350em">&middot;</span>
<span class="email-list-item"><a href="https://cwiki.apache.org/confluence/users/editmyemailsettings.action"
style="color: #326ca6; text-decoration: none">Manage Notifications</a> </span>
</td>
                                                </tr>
                                            </tbody>
                                        </table> </td>
                                </tr>
                            </tbody>
                        </table> </td>
                </tr>
                <tr>
                    <td id="email-footer" align="center" style="font-size: 13px; padding:
0 16px 32px 16px; margin: 0"> <small style="font-size: 11px"> This message was sent
by <a class="email-footer-link" style="color:#505050;font-size:11px;text-decoration:none;;
color: #326ca6; text-decoration: none; color: #505050; font-size: 11px" href="http://www.atlassian.com/software/confluence">Atlassian
Confluence</a> 5.0.3, <a class="email-footer-link" style="color:#505050;font-size:11px;text-decoration:none;;
color: #326ca6; text-decoration: none; color: #505050; font-size: 11px" href="http://www.atlassian.com/software/confluence/overview/team-collaboration-software?utm_source=email-footer">Team
Collaboration Software</a> </small> </td>
                </tr>
            </tbody>
        </table>
    </body>
</html>
Mime
View raw message