Author: buildbot
Date: Sat Dec 26 01:19:38 2015
New Revision: 976392
Log:
Production update by buildbot for tapestry
Modified:
websites/production/tapestry/content/cache/main.pageCache
websites/production/tapestry/content/security.html
Modified: websites/production/tapestry/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/tapestry/content/security.html
==============================================================================
--- websites/production/tapestry/content/security.html (original)
+++ websites/production/tapestry/content/security.html Sat Dec 26 01:19:38 2015
@@ -134,7 +134,7 @@
}</pre>
</div></div><p> </p><p>Sometimes, in production, a firewall or proxy may
make it look like the client web browser originates from localhost, with the
consequence that whitelisted pages may be visible to all users. See the <a
href="security.html">Security FAQ</a> for how to deal with this.</p><h2
id="Security-AssetSecurity">Asset Security</h2><p>Main Article: <a
href="assets.html">Assets</a></p><p>Tapestry serves assets (static content such
as CSS files, images, and JavaScript, many of which are on the classpath
alongside your compiled class files) to the client. Because of this, great
care has gone into ensuring that certain file types cannot be served to the
client. By default, file ending with ".class', ".tml" and ".properties" can be
served to the client only if the request includes the file's MD5 checksum. As
you would expect, that blacklist can be extended. See <a
href="assets.html">Asset Security</a> for more information.</p><h2
id="Security-Protect
ingSerializedObjectDataontheClient">Protecting Serialized Object Data on the
Client</h2><p><span style="color: rgb(0,0,0);">As of version 5.3.6, Tapestry
integrates a </span><a class="external-link"
href="http://en.wikipedia.org/wiki/HMAC"; style="text-decoration:
underline;text-align: justify;" rel="nofollow">hash-based message
authentication code</a><span style="color: rgb(0,0,0);"> (HMAC) into
serialized Java object data that it sends to the client (generally, this means
the </span><code style="text-align: justify;">t:formdata</code><span
style="color: rgb(0,0,0);"> hidden field used by the Form component). This
ensures that the hidden binary object data is guaranteed to be unaltered when
it returns to the server upon form (or AJAX) submission. The HMAC pass phrase
is set using the <a
href="configuration.html">tapestry.hmac-passphrase</a> configuration symbol. If
you don't set that value, you'll see a warning message in the browser, like
this: </spa
n></p><div class="preformatted panel" style="border-width: 1px;"><div
class="preformattedContent panelContent">
<pre>The symbol 'tapestry.hmac-passphrase' has not been configured. This is
used to configure hash-based message authentication of Tapestry data stored in
forms, or in the URL. You application is less secure, and more vulnerable to
denial-of-service attacks, when this symbol is not configured.</pre>
-</div></div><p><span style="color: rgb(0,0,0);">The solution is to set the
tapestry.hmac-passphrase to some value (any fixed, private string, such as 30
to 40 random-looking characters, will do) in your application's module class
(usually AppModule.java).</span></p><h2
id="Security-CrossSiteRequestForgery(CSRF)"><span style="color:
rgb(83,145,38);font-size: 20.0px;line-height: 1.5;">Cross Site Request Forgery
(CSRF)</span></h2><p>Cross Site Request Forgery is a type of security
vulnerability in which legitimate, authorized users may be made to unwittingly
submit malicious requests to your web application.</p><p><a
class="external-link"
href="https://github.com/porscheinformatik/tapestry-csrf-protection";
rel="nofollow">Tapestry-csrf-protection</a> is a 3rd party module that has
several features for preventing CSRF attacks. It protects
all <span>component event handlers (event links, forms, etc.) by adding
a </span><span>CSRF token to event links and adds a CSRF token
as a hidden field to all forms. </span><span>Tokens are generated on a
per-session basis.</span></p><h2
id="Security-SecurityFrameworkIntegration"><span style="line-height:
1.5;">Security Framework Integration</span></h2><p>Tapestry does not lock you
into a specific authentication/authorization implementation. Instead, there are
integration modules available for the more popular open source Java security
frameworks, namely Apache Shiro (formerly JSecurity) and Spring Security
(formerly Acegi Security). Spring Security is the more popular of the two
(because of Spring's popularity), whereas Shiro is widely regarded as the more
flexible choice.</p><ul><li>The <strong><a class="external-link"
href="http://www.tynamo.org/tapestry-security+guide/";
rel="nofollow">tapestry-security</a></strong> module  (from
Tynamo.org) uses Apache Shiro</li><li>The <a class="external-link"
href="http://www.localhost.nu/java/tapestry-spring-security";
style="font-weight: bold
;" rel="nofollow">tapestry-spring-security</a> module uses Spring
Security.</li></ul><p>Additional information:</p><ul><li><a
class="external-link"
href="http://www.tynamo.org/tynamo-federatedaccounts+guide/";
rel="nofollow">Tynamo-federatedaccounts</a> <span style="color:
rgb(0,0,0);">is an add-on to the </span><a class="external-link"
href="http://www.tynamo.org/tapestry-security+guide/";
rel="nofollow">tapestry-security</a><span style="color:
rgb(0,0,0);"> module, providing federated (third-party) authentication
with Facebook, Twitter or Google.</span></li></ul><ul><li><span
style="line-height: 1.4285715;">To include OpenID with Spring Security in your
application, see the following Wiki entry: </span><a
class="external-link"
href="http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId";
style="line-height:
1.4285715;">http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId</a></li></ul><p> </p></div>
+</div></div><p><span style="color: rgb(0,0,0);">The solution is to set the
tapestry.hmac-passphrase to some value (any fixed, private string, such as 30
to 40 random-looking characters, will do) in your application's module class
(usually AppModule.java).</span></p><h2
id="Security-CrossSiteRequestForgery(CSRF)"><span style="color:
rgb(83,145,38);font-size: 20.0px;line-height: 1.5;">Cross Site Request Forgery
(CSRF)</span></h2><p>Cross Site Request Forgery is a type of security
vulnerability in which legitimate, authorized users may be made to unwittingly
submit malicious requests to your web application.</p><p><a
class="external-link"
href="https://github.com/porscheinformatik/tapestry-csrf-protection";
rel="nofollow">Tapestry-csrf-protection</a> is a 3rd party module that has
several features for preventing CSRF attacks. It protects
all <span>component event handlers (event links, forms, etc.) by adding
a </span><span>CSRF token to event links and adds a CSRF token
as a hidden field to all forms. </span><span>Tokens are generated on a
per-session basis.</span></p><h2
id="Security-SecurityFrameworkIntegration"><span style="line-height:
1.5;">Security Framework Integration</span></h2><p>Tapestry does not lock you
into a specific authentication/authorization implementation. There are
integration modules available for the more popular open source Java security
frameworks. A popular choice among Tapestry users is <a class="external-link"
href="http://www.tynamo.org/tapestry-security+guide/";
rel="nofollow">tapestry-security (based on Apache Shiro) from Tynamo.org</a>.
It is always kept up-to-date with the latest Tapestry versions and offers
several supporting security modules (e.g. <a class="external-link"
href="http://www.tynamo.org/tapestry-security-jpa+guide/";
rel="nofollow">tapestry-security-jpa</a>, <a class="external-link"
href="http://www.tynamo.org/tynamo-federatedaccounts+guide/";
rel="nofollow">tynamo-federatedaccounts</a>). There's
also an <a class="external-link"
href="http://www.localhost.nu/java/tapestry-spring-security";
rel="nofollow">integration module available for Spring Security</a> but lately,
it hasn't kept up with the latest versions of Tapestry 5.</p><p>Additional
information:</p><ul><li><a class="external-link"
href="http://www.tynamo.org/tynamo-federatedaccounts+guide/";
rel="nofollow">Tynamo-federatedaccounts</a> <span style="color:
rgb(0,0,0);">is an add-on to the </span><a class="external-link"
href="http://www.tynamo.org/tapestry-security+guide/";
rel="nofollow">tapestry-security</a><span style="color:
rgb(0,0,0);"> module, providing federated (third-party) authentication
with Facebook, Twitter or Google.</span></li></ul><ul><li><span
style="line-height: 1.4285715;">To include OpenID with Spring Security in your
application, see the following Wiki entry: </span><a
class="external-link"
href="http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId";
style="l
ine-height:
1.4285715;">http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId</a></li></ul><p> </p></div>
</div>
<div class="clearer"></div>
