Comments on Tapestry Central: A Better Web Framework: Tapestry's Response

p.s.: inline javascript could could be injected in...

2011-05-10T05:35:31.262-07:00

p.s.: inline javascript could could be injected into templates in the webapps folder...if a hacker manages to upload files to the server through other exploits of other software running on the same server? What about supporting the CSP (content security policiy) and adding a white list of allowed domains that may execute javascript code?

Concerning "15- Security controls for web at...

2011-05-10T05:31:37.925-07:00

Concerning "15- Security controls for web attacks". Assuming content is read from a database and inserted into the templates using a raw insert without escaping (as it contains HTML markup, such as paragraph or bullet points) - then injected inline javascript would be successfully inserted into the page and executed? This was a XSS attack could occur...

Richard, For quick coding and prototyping, I favo...

2009-06-30T13:51:24.527-07:00

Richard,

For quick coding and prototyping, I favor the thing you mistook for a taglib (it's not, but looks similar).

However, jwcid is not dead, it is merely hiding as t:id.

You can use t:id in a template, and defing the component type and parameters in the Java code via the @Component annotation (which applies to a field).

Thus if you are comfortable with the full separation, you can have it. Again, for tutorials and prototypes, there's less keyboard typing involved in using the Tapestry namespace elements to define the component types & etc.

Hi Howard, Regarding item 2 - Avoids heavy-compon...

2009-06-30T12:07:03.934-07:00

Hi Howard,

Regarding item 2 - Avoids heavy-componentization:

IMHO, ASP (the old creature invented by Micro$oft) was a bad idea and Sun had a even worse idea when they invented JSP. All related 'technologies' only promoted a number of taglibs which are simply conceptually wrong!

IMHO, the idea you promoted when Tapestry was invented is correct: you have a *process* which consists of (a) prototyping; (b) approval (can even be offline with fake data); (c) instrumentation and (d) code the server side.

The idea of having attributes (jwcid) looks fine to me and keeps the prototype alive for next iterations, keeping the same process of prototyping, approval, etc.

I was user of Tapestry2 a long time ago and I've done only some small studies with it. Unfortunately I never found a company embracing Tapestry. Recently I've downloaded Tapestry5 and now my own venture will have a website powered by Tapestry. But, for my surprise, I found lots of "t:" tags everywhere and I couldn't understand what it all was about: This is not Tapestry! This is just another bloody taglib! :(
Even worse, the tutorial starts "from day one" promoting the use of this weird taglib which I dont want to learn or use. Seems like the beauty of your original design was lost :(

After looking around, I found that Tapestry4 was using "jwcid" as usual.
Then I found your post stating that Tapestry not only satisfies the statement of avoiding heavy componentization but also does it even better, etc. It says that purists (like me) will have the option to use t:id, etc. Well... I need to learn Tapestry again before understanding what you are talking about.

Anyway, new users are not being educated to avoid taglibs and they are not being educated to adopt the *process* you designed in the beginning.
What I'm saying is that the original beauty of Tapestry was lost or at least is not being advertised with big capitals anymore and this is really bad because the process is what makes Tapestry different.

Kind Regards,
Long life and success for Tapestry!

Richard Gomes
http://www.jquantlib.org/index.php/User:RichardGomes

11 bug freeI can't remember a Tapestry bug. Usabi...

2009-02-11T20:55:00.000-08:00

11 bug free
I can't remember a Tapestry bug. Usability issues, but no code problems besides the borked portlet lib. And having access to the source helps me resolve any gaps.

12 Exceptions
This was what sold me way back on Tapestry 3. We did a little bake-off internally, and the first time we saw the line-specific error trace with context we were sold. Tapestry is the first (only?) project I've worked with that makes a first-class design goal of supporting developers when they make mistakes.

15 serialized data
I've been meaning to make a different default squeezer (to replace serializable) that instead generates a random token into a map on the session. The primitive squeezers (int, String, etc.) aren't such a worry from a security standpoint -- normal application security can manage those. But deserializing an untrusted bytestream seems dodgy.

25 attachment
Don't sell Tapestry short. The Upload component and the IUploadFile are easy as pie. But the download situation is 4.1 is pretty sad. "Write your own engine service" is rough advice for a new user.

27 portlet
We've beat 4.1.6 into submission (and submitted a patch). The biggest problem we have now is transient state being lost between rewind and render. Lots of components (contrib:Table most notably) are very unhappy losing transient state. Tap5 is probably much better now with the bias towards redirect-after-post.

Now that we've paid the price, we're pretty happy using Tapestry 4.1.6 portlets in Liferay.

You loose your belt, you lose your car keys.Sorry,...

2009-02-08T21:26:00.000-08:00

You loose your belt, you lose your car keys.

Sorry, I know there's a billion more important things being discussed, but the fact that you perpetuated this mistake the cited author made in your own post compels me to correct it.

My experience with Tapestry is limited to 4.0.2 an...

2009-02-07T18:43:00.000-08:00

My experience with Tapestry is limited to 4.0.2 and 4.1, so if this stuff is covered in 5 great.

14 & 24 - In Tapestry 4.x adding an annotation to a class was lost during runtime Class generation. Can Tapestry now support calls into user provided Annotations for rights checks?

25 - I disagree with you here. If you need a file upload, that upload needs to integrate into the frameworks form model easily. Same on the generation of binary data, whether downloading a data file from application code, or generated pdfs from a reporting library that should be supported. In Tap 4.x a project I worked on found that quite difficult, and had to resort to coding their own Service, (with mixed results)

13 & 15 - A "token" to store client side data could go a long way to solve your double-click issue as well. Struts has had "token" support (though much different than your #15 idea) that expires after first use. However, you should also look at the Spring WebFlow framework where every request ends with a redirect, so a page reload does not resubmit data.

#19 I'm not sure I agree that this is a framework responsibility. This seems like a cross-cutting concern that should be handled by a servlet filter. And now looking at MessAdmin, it looks like it fits what I said.

Howard,For #19- Admin application for run-time pro...

2009-02-06T09:36:00.000-08:00

Howard,

For #19- Admin application for run-time process and user session monitoring and #30- Alerts between users, you may want to have a detailed look at MessAdmin, which does all of those 2 points except SQL reporting (it's in the TODO list), and is completely independent of the application server.
Like Tapestry, MessAdmin makes careful use of the Servlet API to bring light-weight and robust server monitoring, perfect for production!

I see Web framework (Tapestry) and monitoring (MessAdmin) as orthogonal domains. Since you seems to be thinking at adding a monitoring dashboard, I would be very happy to chat with you on the subject.