Versions Compared

Old Version 2

changes.mady.by.user Howard Ship

Saved on

compared with

New Version 3

changes.mady.by.user Howard Ship

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You should have an explicit application version number for any production application. Client browsers will aggressively cache downloaded assets; they will usually not even send a request to see if the asset has changed once the asset is downloaded the first time. Because of this is is very important that each new deployment of your application get a new version number: this will force existing clients to re-download all files.

Asset Security

Because Tapestry directly exploses files on the classpath to the clients, some thought has gone into ensuring that malicious clients are not able to download assets that should not be visible to them.

First off all, there's a package limitation: classpath assets are only visible if there's a LibraryMapping for them, and the library mapping substitutes for the initial folders on the classpath. Since the most secure assets, things like hibernate.cfg.xml are located in the unnamed package, they are always off limits.

But what about other files on the classpath? Imagine this scenario:

  • Your Login page exposes a classpath asset, icon.png.
  • A malicious client copies the URL, /assets/1.0.0/foo/pages/icon.png
    Footnote

    This would indicate that the Login page is actually inside a library, which is unlikely. More likely, icon.png is a context asset and the malicious user guessed the path for Login.class by looking at the Tapestry source code.

    and changes the file name to Login.class.
  • The client decompiles the class file and spots your secret emergency password: goodbye security!

Fortunately, this can't happen. Files with extension ".class" are secured; they must be accompanied in the URL with a query parameter that is the MD5 hash of the file's contents. If the query parameter is absent, or doesn't match the actual file's content, the request is rejected.

When your code exposes an Asset, the URL will automatically include the query parameter if the file type is secured. The malicious user is locked out of access to the files

Footnote

Unless they already have the files so that they can generate the MD5 checksum ... to get access to the files they already have

.

By default, Tapestry secures file extensions ".class', ".tml" and ".properties". The list can be extended by contributing to the ResourceDigestGenerator service contribution.

...

Footnotes Display