tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r976392 - in /websites/production/tapestry/content: cache/main.pageCache security.html
Date Sat, 26 Dec 2015 01:19:38 GMT
Author: buildbot
Date: Sat Dec 26 01:19:38 2015
New Revision: 976392

Log:
Production update by buildbot for tapestry

Modified:
    websites/production/tapestry/content/cache/main.pageCache
    websites/production/tapestry/content/security.html

Modified: websites/production/tapestry/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/tapestry/content/security.html
==============================================================================
--- websites/production/tapestry/content/security.html (original)
+++ websites/production/tapestry/content/security.html Sat Dec 26 01:19:38 2015
@@ -134,7 +134,7 @@
     }</pre>
 </div></div><p>&#160;</p><p>Sometimes, in production, a
firewall or proxy may make it look like the client web browser originates from localhost,
with the consequence that whitelisted pages may be visible to all users. See the&#160;<a
 href="security.html">Security FAQ</a> for how to deal with this.</p><h2
id="Security-AssetSecurity">Asset Security</h2><p>Main Article:&#160;<a
 href="assets.html">Assets</a></p><p>Tapestry serves assets (static content
such as CSS files, images, and JavaScript, many of which are on the classpath alongside your
compiled class files) to the client.&#160;Because of this, great care has gone into ensuring
that certain file types cannot be served to the client. By default, file ending with ".class',
".tml" and ".properties" can be served to the client only if the request includes the file's
MD5 checksum. As you would expect, that blacklist can be extended. See&#160;<a  href="assets.html">Asset
Security</a> for more information.</p><h2 id="Security-Protect
 ingSerializedObjectDataontheClient">Protecting Serialized Object Data on the Client</h2><p><span
style="color: rgb(0,0,0);">As of version 5.3.6, Tapestry integrates a&#160;</span><a
 class="external-link" href="http://en.wikipedia.org/wiki/HMAC" style="text-decoration: underline;text-align:
justify;" rel="nofollow">hash-based message authentication code</a><span style="color:
rgb(0,0,0);">&#160;(HMAC) into serialized Java object data that it sends to the client
(generally, this means the&#160;</span><code style="text-align: justify;">t:formdata</code><span
style="color: rgb(0,0,0);">&#160;hidden field used by the Form component). This ensures
that the hidden binary object data is guaranteed to be unaltered when it returns to the server
upon form (or AJAX) submission. The HMAC pass phrase is set using the&#160;<a  href="configuration.html">tapestry.hmac-passphrase</a>
configuration symbol. If you don't set that value, you'll see a warning message in the browser,
like this:&#160;</spa
 n></p><div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent
panelContent">
 <pre>The symbol 'tapestry.hmac-passphrase' has not been configured. This is used to
configure hash-based message authentication of Tapestry data stored in forms, or in the URL.
You application is less secure, and more vulnerable to denial-of-service attacks, when this
symbol is not configured.</pre>
-</div></div><p><span style="color: rgb(0,0,0);">The solution is to
set the tapestry.hmac-passphrase to some value (any fixed, private string, such as 30 to 40
random-looking characters, will do) in your application's module class (usually AppModule.java).</span></p><h2
id="Security-CrossSiteRequestForgery(CSRF)"><span style="color: rgb(83,145,38);font-size:
20.0px;line-height: 1.5;">Cross Site Request Forgery (CSRF)</span></h2><p>Cross
Site Request Forgery is a type of security vulnerability in which legitimate, authorized users
may be made to unwittingly submit malicious requests to your web application.</p><p><a
 class="external-link" href="https://github.com/porscheinformatik/tapestry-csrf-protection"
rel="nofollow">Tapestry-csrf-protection</a>&#160;is a 3rd party module that has
several features for preventing CSRF attacks. It protects all&#160;<span>component
event handlers (event links, forms, etc.) by adding a&#160;</span><span>CSRF
token to event links and adds a CSRF token 
 as a hidden field to all forms.&#160;</span><span>Tokens are generated on
a per-session basis.</span></p><h2 id="Security-SecurityFrameworkIntegration"><span
style="line-height: 1.5;">Security Framework Integration</span></h2><p>Tapestry
does not lock you into a specific authentication/authorization implementation. Instead, there
are integration modules available for the more popular open source Java security frameworks,
namely Apache Shiro (formerly JSecurity) and Spring Security (formerly Acegi Security). Spring
Security is the more popular of the two (because of Spring's popularity), whereas Shiro is
widely regarded as the more flexible choice.</p><ul><li>The&#160;<strong><a
 class="external-link" href="http://www.tynamo.org/tapestry-security+guide/" rel="nofollow">tapestry-security</a></strong>&#160;module
&#160;(from Tynamo.org)&#160;uses Apache Shiro</li><li>The&#160;<a
 class="external-link" href="http://www.localhost.nu/java/tapestry-spring-security" style="font-weight:
bold
 ;" rel="nofollow">tapestry-spring-security</a>&#160;module uses Spring Security.</li></ul><p>Additional
information:</p><ul><li><a  class="external-link" href="http://www.tynamo.org/tynamo-federatedaccounts+guide/"
rel="nofollow">Tynamo-federatedaccounts</a>&#160;<span style="color: rgb(0,0,0);">is
an add-on to the&#160;</span><a  class="external-link" href="http://www.tynamo.org/tapestry-security+guide/"
rel="nofollow">tapestry-security</a><span style="color: rgb(0,0,0);">&#160;module,
providing federated (third-party) authentication with Facebook, Twitter or Google.</span></li></ul><ul><li><span
style="line-height: 1.4285715;">To include OpenID with Spring Security in your application,
see the following Wiki entry:&#160;</span><a  class="external-link" href="http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId"
style="line-height: 1.4285715;">http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId</a></li></ul><p>&#160;</p></div>
+</div></div><p><span style="color: rgb(0,0,0);">The solution is to
set the tapestry.hmac-passphrase to some value (any fixed, private string, such as 30 to 40
random-looking characters, will do) in your application's module class (usually AppModule.java).</span></p><h2
id="Security-CrossSiteRequestForgery(CSRF)"><span style="color: rgb(83,145,38);font-size:
20.0px;line-height: 1.5;">Cross Site Request Forgery (CSRF)</span></h2><p>Cross
Site Request Forgery is a type of security vulnerability in which legitimate, authorized users
may be made to unwittingly submit malicious requests to your web application.</p><p><a
 class="external-link" href="https://github.com/porscheinformatik/tapestry-csrf-protection"
rel="nofollow">Tapestry-csrf-protection</a>&#160;is a 3rd party module that has
several features for preventing CSRF attacks. It protects all&#160;<span>component
event handlers (event links, forms, etc.) by adding a&#160;</span><span>CSRF
token to event links and adds a CSRF token 
 as a hidden field to all forms.&#160;</span><span>Tokens are generated on
a per-session basis.</span></p><h2 id="Security-SecurityFrameworkIntegration"><span
style="line-height: 1.5;">Security Framework Integration</span></h2><p>Tapestry
does not lock you into a specific authentication/authorization implementation. There are integration
modules available for the more popular open source Java security frameworks. A popular choice
among Tapestry users is <a  class="external-link" href="http://www.tynamo.org/tapestry-security+guide/"
rel="nofollow">tapestry-security (based on Apache Shiro) from Tynamo.org</a>. It
is always kept up-to-date with the latest Tapestry versions and offers several supporting
security modules (e.g. <a  class="external-link" href="http://www.tynamo.org/tapestry-security-jpa+guide/"
rel="nofollow">tapestry-security-jpa</a>, <a  class="external-link" href="http://www.tynamo.org/tynamo-federatedaccounts+guide/"
rel="nofollow">tynamo-federatedaccounts</a>). There's
  also an <a  class="external-link" href="http://www.localhost.nu/java/tapestry-spring-security"
rel="nofollow">integration module available for Spring Security</a> but lately, it
hasn't kept up with the latest versions of Tapestry 5.</p><p>Additional information:</p><ul><li><a
 class="external-link" href="http://www.tynamo.org/tynamo-federatedaccounts+guide/" rel="nofollow">Tynamo-federatedaccounts</a>&#160;<span
style="color: rgb(0,0,0);">is an add-on to the&#160;</span><a  class="external-link"
href="http://www.tynamo.org/tapestry-security+guide/" rel="nofollow">tapestry-security</a><span
style="color: rgb(0,0,0);">&#160;module, providing federated (third-party) authentication
with Facebook, Twitter or Google.</span></li></ul><ul><li><span
style="line-height: 1.4285715;">To include OpenID with Spring Security in your application,
see the following Wiki entry:&#160;</span><a  class="external-link" href="http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId"
style="l
 ine-height: 1.4285715;">http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId</a></li></ul><p>&#160;</p></div>
       </div>
 
       <div class="clearer"></div>



Mime
View raw message