Tapestry has a number of security features designed to harden your application against unwanted intrusion and denial of service.
Main Article: HTTPS
Tapestry provides several annotations and configuration settings that you can use to ensure that all access to certain pages (or all pages) occurs only via the encrypted HTTPS protocol. See HTTPS for details.
Controlling Page AccessFor simple access control needs, you can contribute a ComponentRequestFilter with your custom logic that decides which pages should be accessed by which users. The Tapestry Hotel Booking app demonstrates this approach with an
@AnonymousAccessannotation along with a ComponentRequestFilter named
AuthenticationFilter.java. The filter enforces security by intercepting all requests to pages that don't have that annotation, and it redirects those requests to the login page. JumpStart has a similar demo.
For more advanced needs see the Security Framework Integration section below.
Pages whose component classes are annotated with @WhitelistAccessOnly will only be displayed to users (clients) that are on the whitelist. By default the whitelist consists only of clients whose fully-qualified domain name is "localhost" (or the IP address equivalent, 127.0.0.1 or 0:0:0:0:0:0:0:1), but you can customize this by contributing to the ClientWhitelist service in your application's module class (usually AppModule.java):
Sometimes, in production, a firewall or proxy may make it look like the client web browser originates from localhost, with the consequence that whitelisted pages may be visible to all users. See the Security FAQ for how to deal with this.
Main Article: Assets
Protecting Serialized Object Data on the Client
As of version 5.3.6, Tapestry integrates a hash-based message authentication code (HMAC) into serialized Java object data that it sends to the client (generally, this means the
t:formdata hidden field used by the Form component). This ensures that the hidden binary object data is guaranteed to be unaltered when it returns to the server upon form (or AJAX) submission. The HMAC pass phrase is set using the tapestry.hmac-passphrase configuration symbol. If you don't set that value, you'll see a warning message in the browser, like this:
The solution is to set the tapestry.hmac-passphrase to some value (any fixed, private string, such as 30 to 40 random-looking characters, will do) in your application's module class (usually AppModule.java).
Cross Site Request Forgery (CSRF)
Cross Site Request Forgery is a type of security vulnerability in which legitimate, authorized users may be made to unwittingly submit malicious requests to your web application.
Tapestry-csrf-protection is a 3rd party module that has several features for preventing CSRF attacks. It protects all component event handlers (event links, forms, etc.) by adding a CSRF token to event links and adds a CSRF token as a hidden field to all forms. Tokens are generated on a per-session basis.
Security Framework Integration
Tapestry does not lock you into a specific authentication/authorization implementation. There are integration modules available for the more popular open source Java security frameworks. A popular choice among Tapestry users is tapestry-security (based on Apache Shiro) from Tynamo.org. It is always kept up-to-date with the latest Tapestry versions and offers several supporting security modules (e.g. tapestry-security-jpa, tynamo-federatedaccounts). There's also an integration module available for Spring Security but lately, it hasn't kept up with the latest versions of Tapestry 5.
- Tynamo-federatedaccounts is an add-on to the tapestry-security module, providing federated (third-party) authentication with Facebook, Twitter or Google.
- To include OpenID with Spring Security in your application, see the following Wiki entry: http://wiki.apache.org/tapestry/Tapestry5HowToSpringSecurityAndOpenId