Versions Compared

Old Version 20

changes.mady.by.user Bob Harner

Saved on

compared with

New Version 21

changes.mady.by.user Bob Harner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

  • Your Login page exposes a classpath asset, icon.png.
  • A malicious client copies the URL, /assets/1.0.0/app/pages/icon.png,

    Wiki Markup
    {footnote}This would indicate that the Login page is actually inside a library, which is unlikely. More likely, {{icon.png}} is a context asset and the malicious user guessed the path for {{Login.class}} by looking at the Tapestry source code.{footnote}

    and changes the file name to Login.class.
  • The client decompiles the class file and spots your secret emergency password: goodbye security!

    Wiki Markup
    {footnote}Never create such back doors, of course!{footnote}

Fortunately, this can't happen. Files with extension ".class" are secured; they must be accompanied in the URL with a query parameter that is the MD5 hash of the file's contents. If the query parameter is absent, or doesn't match the actual file's content, the request is rejected.

When your code exposes an Asset, the URL will automatically include the query parameter if the file type is secured. The malicious user is locked out of access to the files

Wiki Markup
{footnote}Unless they already have the files so that they can generate the MD5 checksum ... to get access to the files they already have.{footnote}

...

By default, this service does nothing. You should include a third-party library, for example the tapestry-yuicompressor project, which makes it possible to minimize CSS and JavaScript files.

Code Block
langxml
titlepom.xml (partial)
langxml
<dependency>
    <groupId>org.apache.tapestry</groupId>
    <artifactId>tapestry-yuicompressor</artifactId>
    <version>5.3.1</version>
</dependency>

...