Angelo zerr | 16 Apr 16:06 2014
Picon

[orion-dev] Orion with Tern

Hi Orion team,

I contact you, because I'm developping a glue between Orion and Tern to benefit with powerful JS completion inside Orion editor. You can see project at https://github.com/angelozerr/tern.orion

Do you think you could interest with this project?

I develop this glue because I'm developping a wizard inside Eclipse IDE which generates orion editor with tern (see https://github.com/angelozerr/tern.java/wiki/Tern-Toolings). I have already integrated tern inside Eclipse IDE and generates Orion editor with tern will help to test and debug custom tern plugin.

When I have developped this glue between tern and orion, I had several problems that I would like  to share you : 

1) how to add custom completion with 5.0?

With 5.0, I had a problem to add my own completion. See code at https://github.com/angelozerr/tern.orion/blob/master/demos/tern-orion.html#L55

----------------------------------
if (contentAssist.providers) {
   // Orion < 5.0
   contentAssist.providers.push(ternProvider);
  } else {
   // Orion >= 5.0
   var providers = [];
   var infos = contentAssist._providerInfoArray
   if (infos) {
     for(var i=0; i<infos.length; i++) {
      providers.push(infos[i].provider);
     }      
   }
   providers.push(ternProvider);
   contentAssist.setProviders(providers);
}
----------------------------------

As you can see, code for Orion 5.0 is ugly. Have you some suggestion to clean this code?

2) how to get orion editor when completion is applied?

When completion is applied, it call my function

----------------------------------
 computeProposals : function(buffer, offset, context) {
----------------------------------

In this function, I need to add some listener in the editor, but i cannot retrieve it. Do you know how I can do that (for CodeMirror and Ace,it' spossible to retrieve the editor when completion is applied).

3) how to manage text hover?

I would like to create a Tern text hover when mouse move on JS editor (ex : display doc of teh functions in a tooltip). I think I must use AnnotationType (like TODO popup), but I don't know how I can add my custom AnnotationType.

Many thank's for your help.

Regards Angelo
<div><div dir="ltr">Hi Orion team,<div><br></div>
<div>I contact you, because I'm developping a glue between Orion and <a href="http://ternjs.net/" target="_blank">Tern</a> to benefit with powerful JS completion inside Orion editor. You can see project at&nbsp;<a href="https://github.com/angelozerr/tern.orion" target="_blank">https://github.com/angelozerr/tern.orion</a>
</div>

<div><br></div>
<div>Do you think you could interest with this project?</div>
<div><br></div>
<div>I develop this glue because I'm developping a wizard inside Eclipse IDE which generates orion editor with tern (see <a href="https://github.com/angelozerr/tern.java/wiki/Tern-Toolings" target="_blank">https://github.com/angelozerr/tern.java/wiki/Tern-Toolings</a>). I have already integrated tern inside Eclipse IDE and generates Orion editor with tern will help to test and debug custom tern plugin.</div>

<div><br></div>
<div>When I have developped this glue between tern and orion, I had several problems that I would like &nbsp;to share you :&nbsp;</div>
<div><br></div>
<div>1) how to add custom completion with 5.0?</div>
<div><br></div>

<div>With 5.0, I had a problem to add my own completion. See code at&nbsp;<a href="https://github.com/angelozerr/tern.orion/blob/master/demos/tern-orion.html#L55" target="_blank">https://github.com/angelozerr/tern.orion/blob/master/demos/tern-orion.html#L55</a>
</div>

<div><br></div>
<div>----------------------------------</div>
<div>
<div>if (contentAssist.providers) {</div>
<div>&nbsp; <span>	</span> &nbsp;// Orion &lt; 5.0</div>
<div>&nbsp; <span>	</span> &nbsp;contentAssist.providers.push(ternProvider);</div>

<div>&nbsp; <span>	</span>} else {</div>
<div>&nbsp; <span>	</span> &nbsp;// Orion &gt;= 5.0</div>
<div>&nbsp; <span>	</span> &nbsp;var providers = [];</div>
<div>&nbsp; <span>	</span> &nbsp;var infos = contentAssist._providerInfoArray</div>
<div>&nbsp; <span>	</span> &nbsp;if (infos) {</div>
<div>&nbsp; <span>	</span> &nbsp; &nbsp;for(var i=0; i&lt;infos.length; i++) {</div>

<div>&nbsp; <span>	</span> &nbsp; &nbsp;<span>	</span>providers.push(infos[i].provider);</div>
<div>&nbsp; <span>	</span> &nbsp; &nbsp;}<span>			</span> &nbsp;<span>	</span> &nbsp; &nbsp;</div>

<div>&nbsp; <span>	</span> &nbsp;}</div>
<div>&nbsp; <span>	</span> &nbsp;providers.push(ternProvider);</div>
<div>&nbsp; <span>	</span> &nbsp;contentAssist.setProviders(providers);</div>

<div>}</div>
</div>
<div>----------------------------------<br>
</div>
<div><br></div>
<div>As you can see, code for Orion 5.0 is ugly. Have you some suggestion to clean this code?</div>
<div><br></div>
<div>2) how to get orion editor when completion is applied?</div>

<div><br></div>
<div>When completion is applied, it call my function</div>
<div><br></div>
<div>----------------------------------<br>
</div>
<div>&nbsp;computeProposals : function(buffer, offset, context) {</div>
<div>----------------------------------<br>
</div>
<div><br></div>
<div>In this function, I need to add some listener in the editor, but i cannot retrieve it. Do you know how I can do that (for CodeMirror and Ace,it' spossible to retrieve the editor when completion is applied).</div>

<div><br></div>
<div>3) how to manage text hover?</div>
<div><br></div>
<div>I would like to create a Tern text hover when mouse move on JS editor (ex : display doc of teh functions in a tooltip). I think I must use AnnotationType (like TODO popup), but I don't know how I can add my custom AnnotationType.</div>

<div><br></div>
<div>Many thank's for your help.</div>
<div><br></div>
<div>Regards Angelo</div>
</div></div>
Schmalz, Matthias | 14 Apr 09:01 2014
Picon

[orion-dev] Protection against Java Script Hijacking

Hi All,

 

currently we are doing some security considerations for the usage of Orion.

One topic, that came up here, is the protection against Java script hijacking (see http://capec.mitre.org/data/definitions/111.html or http://www.net-security.org/dl/articles/JavaScript_Hijacking.pdf).

Have there already been any considerations about the relevance of this attack for Orion? Are there any plans to implement a protection?

An example for an attack target could be the user preference store which contains the user’s e-mail address, full name and login user.

 

Best regards

Matthias Schmalz

 

<div>
<div class="WordSection1">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US">Hi All,<p></p></span></p>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p class="MsoNormal"><span lang="EN-US">currently we are doing some security considerations for the usage of Orion.<p></p></span></p>
<p class="MsoNormal"><span lang="EN-US">One topic, that came up here, is the protection against Java script hijacking (see
<a href="http://capec.mitre.org/data/definitions/111.html">http://capec.mitre.org/data/definitions/111.html</a> or
<a href="http://www.net-security.org/dl/articles/JavaScript_Hijacking.pdf">http://www.net-security.org/dl/articles/JavaScript_Hijacking.pdf</a>).<p></p></span></p>
<p class="MsoNormal"><span lang="EN-US">Have there already been any considerations about the relevance of this attack for Orion? Are there any plans to implement a protection?<p></p></span></p>
<p class="MsoNormal"><span lang="EN-US">An example for an attack target could be the user preference store which contains the user&rsquo;s e-mail address, full name and login user.<p></p></span></p>
<p class="MsoNormal"><span lang="EN-US"><p>&nbsp;</p></span></p>
<p class="MsoNormal"><span lang="EN-US">Best regards<p></p></span></p>
<p class="MsoNormal"><span lang="EN-US">Matthias Schmalz<p></p></span></p>
<p class="MsoNormal"><span lang="EN-US"><p>&nbsp;</p></span></p>
</div>
</div>
</div>
</div>
Kaitlin Johnson Huben | 4 Apr 16:58 2014

[orion-dev] Viewing new syntax highlighting

Hi all,

I'm working under Ken (with the Open Academy group) on implementing some new syntax highlighting. He mentioned that highlighting for C/C++ was implemented recently, and I see the changes in my repo from yesterday. However, when I open a C source file, I still don't see the syntax highlighting; I know one of my teammates was having a similar issue. Is there something else that needs to be done to view the new syntax highlighting once it's implemented?

Thanks!
Kaitlin Huben
<div><div dir="ltr">Hi all,<div><br></div>
<div>I'm working under Ken (with the Open Academy group) on implementing some new syntax highlighting. He mentioned that highlighting for C/C++ was implemented recently, and I see the changes in my repo from yesterday. However, when I open a C source file, I still don't see the syntax highlighting; I know one of my teammates was having a similar issue. Is there something else that needs to be done to view the new syntax highlighting once it's implemented?</div>
<div><br></div>
<div>Thanks!<br clear="all"><div><div dir="ltr">Kaitlin Huben<br>
</div></div>
</div>
</div></div>
Mark Macdonald | 4 Apr 00:04 2014
Picon

[orion-dev] Source maps & changes to .html files

As of today, source maps are enabled in Orion builds. In Chrome and (probably) Firefox, they should allow you to set breakpoints and step through a minified build of Orion while viewing the un-minified source code in your debugger.

I also removed some old build-time hacks that dealt with AMD module IDs. For the sake of sanity I won't describe those in detail here, however please note that from now on, any new pages or plugins you create must follow a different pattern than before (see below).

What should new pages look like?
When creating a new page or plugin that needs to be optimized, ensure your HTML file loads the full module id of your initialization code ("glue code") in its require() call.

WRONG:
require(["pageLinksPlugin.js"]);   // filename, bad
require(["javascriptPlugin.js"]);  // filename, bad

RIGHT:
require(["plugins/pageLinksPlugin"]);             // module id, good
require(["javascript/plugins/javascriptPlugin"]); // module id, good

If you fail to do this, your page may seem OK at development time, but it will fail in the optimized Orion build by appearing empty (files load, but nothing happens).

When writing non-production code (such as tests, samples, etc), you can ignore this advice. Strictly speaking, the problem here only arises when you're loading a module that has had its dependencies inlined by the RequireJS optimizer.

What happened to built-foo.js?
Optimized pages are not renamed to built-{whatever}.js anymore. Instead they keep the same name they have at development time.

Where is the un-minified source?
To find the unminified source of any module, just append ".src" onto its URL. For example the un-minified source of /edit/edit.js is /edit/edit.js.src

In general, there are 3 interesting files for every module:
  • edit.js (Minified source file)
  • edit.js.src (Un
    ​-​
    minified source
    ​file)
  • edit.js.map (Source map)

What's the point?
With these changes, the build is more flexible, so we can experiment with ways of packaging Orion code that were difficult before, such as:
  • Load an optimized module from an entry point that is not an HTML file (eg. a web worker)
  • ​Load an optimized module from > 1 HTML file​
  • Load​
    ​ certain features on demand, instead of 1 huge kitchen-sink blob
  • Split pages into optimized modules providing finer-grained units of functionality
​Mark​
<div><div dir="ltr">
<div class="gmail_default">As of today, source maps are enabled in Orion builds. In Chrome and (probably) Firefox, they should allow you to set breakpoints and step through a minified build of Orion while viewing the un-minified source code in your debugger.<br><br>I also removed some old build-time hacks that dealt with AMD module IDs. For the sake of sanity I won't describe those in detail here, however please note that from now on, any new pages or plugins you create must follow a different pattern than before (see below).<br>
</div>
<br><div class="gmail_default">What should new pages look like?<br>When creating a new page or plugin that needs to be optimized, ensure your HTML file loads the full module id of your initialization code ("glue code") in its <span>require()</span> call.<br><br><span>&#10008;</span> WRONG:<br><div>
<span>require(["<span>pageLinksPlugin.js</span>"]);&nbsp;&nbsp; // filename, bad</span><br><span>require(["<span>javascriptPlugin.js</span>"]);&nbsp; // filename, bad</span><br>
</div>
<br><span><span>&#10004; </span></span>RIGHT:<span><span></span></span><br><div>
<span>require(["<span><span></span><span>plugins/</span></span><span>pageLinksPlugin</span>"]);&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; // module id, good</span><br><span></span><span>require(["<span>javascript/plugins/≤/span><span>javascriptPlugin</span>"]); // module id, good</span><br>
</div>
<br>
</div>
<div class="gmail_default">
If you fail to do this, your page may seem OK at development time, but it will fail in the optimized Orion build by appearing empty (files load, but nothing happens).<br><br>When writing non-production code (such as tests, samples, etc), you can ignore this advice. Strictly speaking, the problem here only arises when you're loading a module that has had its dependencies inlined by the RequireJS optimizer.<br>
</div>
<div class="gmail_default">
<br>What happened to <span>built-foo.js</span>?<br>Optimized pages are not renamed to <span>built-{whatever}.js</span> anymore. Instead they keep the same name they have at development time.<br><br>
</div>
<div class="gmail_default">Where is the un-minified source?<br>To find the unminified source of any module, just append ".src" onto its URL. For example the un-minified source of <span>/edit/edit.js</span> is <span>/edit/edit.js.src</span><br><br>In general, there are 3 interesting files for every module:<br>
</div>
<ul>
<li>
<span>edit.js</span> (Minified source file)</li>
<li>
<span>edit.js.src</span> (Un<div class="gmail_default">

&#8203;-&#8203;</div>minified source <div class="gmail_default">&#8203;file)</div>
</li>
<li>
<span>edit.js.map</span> (Source map)</li>
</ul>
<p></p>
<div class="gmail_default">What's the point?<br>With these changes, the build is more flexible, so we can experiment with ways of packaging Orion code that were difficult before, such as:<br>
</div>
<div class="gmail_default"><ul>
<li>Load an optimized module from an entry point that is not an HTML file (eg. a web worker)</li>
<li><div class="gmail_default">

&#8203;Load an optimized module from &gt; 1 HTML file&#8203;</div></li>
<li>Load&#8203;<div class="gmail_default">&#8203; certain features on demand, instead of 1 huge kitchen-sink blob</div>

</li>
<li>Split pages into optimized modules providing finer-grained units of functionality<br>
</li>
</ul></div>
<div class="gmail_default">&#8203;Mark&#8203;</div>
</div></div>
Christopher Stone | 30 Mar 21:24 2014

[orion-dev] Compile errors while building orion.

In order to build Orion locally so that I can hack on it, I have followed the instructions from section Self-hosting on your local computer using Eclipse IDE at the web page https://wiki.eclipse.org/Orion/Getting_the_source. I am using Eclipse Kepler SR2 on a 64-bit Kubuntu 13.10.

I get the following compile errors:

Syntax error on token ".", , expected GitHubFileImpl.js /org.eclipse.orion.client.ui/web/plugins/filePlugin line 52 JavaScript Problem

Syntax error on token "default", Identifier expected SideMenu.js /org.eclipse.orion.client.ui/web/orion/webui line 295 JavaScript Problem

The left-hand side of an assignment must be a variable SideMenu.js /org.eclipse.orion.client.ui/web/orion/webui line 14 JavaScript Problem

Syntax error on token "default", Identifier expected SideMenu.js /org.eclipse.orion.client.ui/web/orion/webui line 288 JavaScript Problem

I switched the git repositories to the 5.0 release tag instead of the master branch, and got the exact same compile errors. Thus, I would guess that there is something wrong with my tools setup, as opposed to these being real compile errors. Does anyone know what might be wrong?

Cheers,
    Chris Stone.
<div><div dir="ltr">In order to build Orion locally so that I can hack on it, I have followed the instructions from section Self-hosting on your local computer using Eclipse IDE&nbsp;at the web&nbsp;page&nbsp;<a href="https://wiki.eclipse.org/Orion/Getting_the_source">https://wiki.eclipse.org/Orion/Getting_the_source</a>. I am using Eclipse Kepler SR2 on a 64-bit Kubuntu 13.10.<div>
<br>
</div>
<div>I get the following compile errors:</div>
<div><br></div>
<div>
<div>Syntax error on token ".", , expected<span class="">	</span>GitHubFileImpl.js<span class="">	</span>/org.eclipse.orion.client.ui/web/plugins/filePlugin<span class="">	</span>line 52<span class="">	</span>JavaScript Problem</div>
</div>
<div><br></div>
<div>Syntax error on token "default", Identifier expected<span class="">	</span>SideMenu.js<span class="">	</span>/org.eclipse.orion.client.ui/web/orion/webui<span class="">	</span>line 295<span class="">	</span>JavaScript Problem<br>
</div>
<div>
<div><br></div>
<div>The left-hand side of an assignment must be a variable<span class="">	</span>SideMenu.js<span class="">	</span>/org.eclipse.orion.client.ui/web/orion/webui<span class="">	</span>line 14<span class="">	</span>JavaScript Problem</div>
<div><br></div>
<div>Syntax error on token "default", Identifier expected<span class="">	</span>SideMenu.js<span class="">	</span>/org.eclipse.orion.client.ui/web/orion/webui<span class="">	</span>line 288<span class="">	</span>JavaScript Problem</div>
</div>
<div><br></div>
<div>I switched the git repositories to the 5.0 release tag instead of the master branch, and got the exact same compile errors. Thus, I would guess that there is something wrong with my tools setup, as opposed to these being real compile errors. Does anyone know what might be wrong?</div>
<div><br></div>
<div>Cheers,</div>
<div>&nbsp; &nbsp; Chris Stone.</div>
</div></div>

[orion-dev] How to get Orion to follow symbolic links for files and directories? (a preliminary investigation)

Hi,

Orion is in the right track overall and I love it!

That being said, I have encountered an issue (described below) that makes me even consider putting it aside, at least for the moment, and looking for other options :-(

Here is a bug-report, which started as a couple of questions (that matter a lot in my particular case) and turned out to be a comprehensive bug-report/feature-request.

=============================================
VERY BRIEFLY:
=============================================
1) Is there any way to get Orion to follow symbolic links while browsing a file system location on the server side (attached to the user's workspace via New>Link to Server) and for editing files that happen to be aliases (symlinks)?
(I am otherwise able to browse that location and edit files within it, as long as any of the directories and files involved are not symlinks).

2) Alternatively, is there any way to influence the configuration of the embedded Jetty web server in a standard Orion distribution? 

UPDATE:  My further investigation has shown that, even if that is possible, it would not really help for the question at hand, because Orion seems to use an Orion-specific servlet (NewFileServlet) to serve up the "/file" URL space.
NewFileServlet, which does not seem to even inherit from the Jetty DefaultServlet, appears to have a pretty hard coded "Forbid" approach when it comes to symlinks. Bummer.

However, this question (2) still remains to be an interesting in general for other potential Orion server administration use cases.

Please see below for a detailed description of the issue and the test environment, as well as the results of preliminary investigation that suggests that the resolution of the issue requires a code-change (which could be quite minor)
at least in the NewFileServlet.java source file on the Orion 5.0 code branch (relevant code snippet given below).

Since this topic could have some pretty serious impact on security at least on some OS platforms and/or file systems, I thought it might be worthwhile to see how this is handled in Jetty, which is a more mature project, 
and found the relevant code snippets from Jetty 8.x code line (which happens to be the Jetty release that Orion 5.x currently embeds). Those relevant code snippets from Jetty 8.x  can also be seen down below in this message.

Finally, it might be worthwhile to note that, according to Jetty documentation, Jetty 9 makes an attempt to handle the question in a completely different way, 
allowing for much more fine grained control over permissions on file and directory "aliases" (in Jetty parlance).


P.S. : I do realise this is rather extremely long message. 
         However, I do think it is useful information constituting something like a preliminary investigation on the question, even providing hints on how to solve the issue.
 I think of it as a bug report that comes already with some investigation that could be useful for the folks who will get around fixing it in the future (perhaps even myself, if I get around some of the Orion internals).
   






##############################################################################################
# THE GORY DETAILS :
##############################################################################################

My Orion 5.0 installation seems to be working just fine except this issue.
 
I have successfully attached "/home/example" as a new location (named "example") in my workspace, doing the necessary changes in "orion.conf" like so:
orion.file.allowedPaths=/home/ide/serverworkspace,/home/example

I am able to browse the attached location and edit files within it, after tweaking file permissions on the server filesystem for everything under "/home/example".

So far, so good.

The only catch: Orion refuses to follow symlinks within the "example" location, displaying a message that goes "Forbidden: ....".
Observing the OSGI console on the server side suggests that it is indeed the orion server that responds with an HTTP error condition (403 Forbidden).

According to Jetty documentation, by default, Jetty will refuse to follow file and directory aliases (which includes symlinks among other similar strange things).
This seems to be construed as a "security feature" of Jetty, according to their documentation.

Luckily, Jetty seems to allow overriding that paranoid behaviour by setting and init-param ("aliases") to "true" on the "DefaultServlet" (org.eclipse.jetty.servlet.DefaultServlet) in "jetty.xml".
Therefore, I figured: if I can somehow influence the configuration of the embedded Jetty in Orion,  it could be a pretty happy end to the story.

After quite a bit of searching, I stumbled upon the "plugin.xml" file within the "eclipse/plugin/org.eclipse.orion.server.configurator_1.0.0.v20140221-1503" directory, that appeared quite promising.
Browsing through the various "servlet" configurations in "plugin.xml", I found the servlet that is aliased as "/file" within the Orion URL space.

However, it looks like the "/file" URL space is served up by an Orion-specific servlet (org.eclipse.orion.internal.server.servlets.file.NewFileServlet), 
and not the DefaultServlet (org.eclipse.jetty.servlet.DefaultServlet) from Jetty.

That's a bummer, because Jetty seems to allow overriding the paranoid behaviour of forbidding to follow symlinks altogether by setting an init-param ("aliases") to "true" on the "DefaultServlet" (org.eclipse.jetty.servlet.DefaultServlet) in "jetty.xml".
That kind of configuration option would have saved my day today :-(

First, I naively tried setting the "aliases" <init-parameter> to "true" in the servlet configuration for the "/file" space in "plugin.xml" anyway, similar to the way one would do in jetty.xml, just to see what happens.
Naturally, that did not have any effect on the problem at hand, since, as I found out later, Orion's "NewFileServlet" doesn't even inherit from Jetty's "DefaultServlet" (and for good reasons).

As a final ditch, I dug up the source code of Orion's "NewFileServlet" to see if there was still any hope to find any administrator configurable behaviour in there concerning the question.
==> Nope. It turns out, that particular behaviour (of forbidding symlinks) is pretty hard-coded into the "doGet()" method of "NewFileServlet", and the other doXXX() methods just call the "doGet()" method
to do their job.

Then, by curiosity, I dug up Jetty 8.x sources to see how this question is handled there. It turns out Jetty 8.x handles this in a pretty straight forward way.
In Jetty parlance, we are talking about a file or directory "alias" here (which includes symlinks, but also other stuff like NFS strangenesses and so on).

- Jetty determines whether a file resource is an "alias" (symlink, etc) by simply comparing its initial path to its canonical path.  
           If those do not match, then the resource is considered an "alias"

- Then, Jetty checks if the configuration setting (which happens to be the "aliases" init-param) allows accessing/following such a resource.
*) If so, Jetty just serves up the "alias". BINGO.     (presumably, this gets ultimately handled by low level Java IO calls via the system specific calls on the particular OS platform for reading/writing/.. files)
*) If not (which is the default), then Jetty behaves in pretty much the same way as Orion, forbidding the action.

Naturally, there is some pretty nice plumbing code around that as well (obtaining the relevant configuration option as well the alias checking code within all encapsulated the ContextHandler).

I thought this could be helpful for the folk(s) who will actually get around implementing something similar (at least in terms of capabilities) within Orion server. 
That could even include me  -- if I ever get around really learning the internals of Orion, Equinox, Eclipse, ... (and start coding in Java)

In any case, I could probably help in specifying the behaviour and testing the actual implementation, and even take a stab at documenting it when done.

If you have actually continued reading this text up to this point, please let me know, and I'll buy you beer if you are in Paris (France) some day :-)

If you also go ahead and skim through the appendices below (i..e. yes, even the gorier details),  then it will have to be a bottle of French wine with extra goodies :-)

Those further details included below are:
- My particular constraints
- My test environment (server & client)
- Source code snippet from Orion 5.0  deemed relevant from  "org.eclipse.orion.internal.server.servlets.file.NewFileServlet"
- Source code snippet from Jetty 8.x   deemed relevant from   "org.eclipse.jetty.server.handler.ContextHandler"
-- There is actually also some related code in Jetty's "DefaultServlet" implementation that just obtains the configuration settings and sets the corresponding property of the context initially.   
      I haven't included that snippet, because that part is pretty straight-forward.

Cheers,
Ayhan
 


##############################################################################################
# MY CONSTRAINTS:
##############################################################################################

  1. I cannot do without the symlinks.   
  • Because, for various reasons, I am not able to change the way the files/directories are organised within the existing attached location, which contains a bunch of symlinks on some files and directories.

  • If at all possible, I really would like to avoid having to cook myself a WAR deployment of Orion.
    • Because, as it seems, Orion does is not -yet- distributed with a WAR deployment option, not even a boiler-plate. 
      Since I know how ignorant I am on WAR-cracft (and even on Java), it would take me several days to get something up and running, if I ever get there; 

  • Did I tell you I am in a hurry (for an urgent task)?    -- but aren't we all? :-)

  • I love Orion so far.
    • But if I can't find a resolution (even an acceptable workaround) to this issue in a day or so, I will probably find myself out there looking for an alternative to Orion... :-(



    ##############################################################################################
    # EVEN GORIER DETAILS:
    ##############################################################################################

    #------------------------------------------------------------------------------------
    # MY SERVER ENVIRONMENT (most probably irrelevant):
    #------------------------------------------------------------------------------------
    Orion release = 5.0 (latest as of today)
    Server OS       = Debian (weezy)
    Java version          = "1.6.0_27"
    JRE = OpenJDK Runtime Environment (IcedTea6 1.12.5) (6b27-1.12.5-1)

    # The Java Security Policy on the server machine ("/etc/java-6-openjdk/security/java.policy") now contains the following snippet (as a result of my failed attempts of hacking a solution to the pro:

    grant {
    # ...
    permission java.io.FilePermission "/home/example/-", "read,write,delete,execute,readlink";
    # ...
    };

    # Naturally, when the issue is resolved, I will restrict the "grant" to a given codeBase (which one?), but for the moment it's wide open :-)

    #------------------------------------------------------------------------------------
    # MY CLIENT ENVIRONMENT (most probably irrelevant):
    #------------------------------------------------------------------------------------
    OS  = Mac OS X 10.8.x (Mountain Lion)
    Browser = Chrome & Safari (tried both)




    #==========================================================================================================
    # RELEVANT ORION 5.0 SOURCE CODE  snippet -  which clearly suggests that Orion 5.0 forbids symbolic links (symlinks) altogether at this time.
    #      
    #     The following code snippet was obtained from the eclipse's official git repository  <at> around 2014-03-30T00:25:00GMT
    #
    #
    #     The code snippet involved is basically the "doGet" method of NewFileServlet.
    #
    #     // ... denotes omitted content deemed to be irrelevant.
    #==========================================================================================================

    // ...
    package org.eclipse.orion.internal.server.servlets.file;

    // ...

    public class NewFileServlet extends OrionServlet {

    // ...

    // lines of interest: [54 - 108]
    <at> Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { traceRequest(req); String pathInfo = req.getPathInfo(); IPath path = pathInfo == null ? Path.ROOT : new Path(pathInfo); // prevent path canonicalization hacks if (pathInfo != null && !pathInfo.equals(path.toString())) { handleException(resp, new ServerStatus(IStatus.ERROR, HttpServletResponse.SC_FORBIDDEN, NLS.bind("Forbidden: {0}", pathInfo), null)); return; } //don't allow anyone to mess with metadata if (path.segmentCount() > 0 && ".metadata".equals(path.segment(0))) { //$NON-NLS-1$ handleException(resp, new ServerStatus(IStatus.ERROR, HttpServletResponse.SC_FORBIDDEN, NLS.bind("Forbidden: {0}", pathInfo), null)); return; } IFileStore file = getFileStore(req, path); IFileStore testLink = file; while (testLink != null) { IFileInfo info = testLink.fetchInfo(); if (info.getAttribute(EFS.ATTRIBUTE_SYMLINK)) { if (file == testLink) { handleException(resp, new ServerStatus(IStatus.ERROR, HttpServletResponse.SC_FORBIDDEN, NLS.bind("Forbidden: {0}", pathInfo), null)); } else { handleException(resp, new ServerStatus(IStatus.ERROR, HttpServletResponse.SC_NOT_FOUND, NLS.bind("File not found: {0}", pathInfo), null)); } return; } testLink = testLink.getParent(); } if (file == null) { handleException(resp, new ServerStatus(IStatus.ERROR, HttpServletResponse.SC_NOT_FOUND, NLS.bind("File not found: {0}", pathInfo), null)); return; } if (fileSerializer.handleRequest(req, resp, file)) return; // finally invoke super to return an error for requests we don't know how to handle super.doGet(req, resp); } <at> Override protected void doDelete(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { doGet(req, resp); } <at> Override protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { doGet(req, resp); } <at> Override protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { doGet(req, resp); }

    // ...

    }




    #==========================================================================================================
    # RELEVANT JETTY 8.x SOURCE CODE snippet that handles file and directory "aliases" (including symlinks)
    #
    #     This Jetty 8.x code snippet could perhaps be an inspiration for Orion 5.x (based on Jetty 8.x for the moment). 
     #    Note that Jetty 9.x seems to be handling this question in a completely different fashion, allowing for more granular control.
    #      
    #     The following code snippet was obtained from the eclipse's official git repository  <at> around 2014-03-30T00:25:00GMT
    #
    #     // ... denotes omitted content deemed to be irrelevant.
    #==========================================================================================================

    // ...
    package   =  org.eclipse.jetty.server.handler;

    // ...

    public class ContextHandler extends ScopedHandler implements Attributes, Server.Graceful {

    // ...

    // ****  lines of interest: [1570 - 1618] ***************************
    public Resource getResource(String path) throws MalformedURLException { if (path == null || !path.startsWith(URIUtil.SLASH)) throw new MalformedURLException(path); if (_baseResource == null) return null; try { path = URIUtil.canonicalPath(path); Resource resource = _baseResource.addPath(path); if (checkAlias(path,resource)) return resource; return null; } catch (Exception e) { LOG.ignore(e); } return null; } /* ------------------------------------------------------------ */ public boolean checkAlias(String path, Resource resource) { // Is the resource aliased? if (!_aliasesAllowed && resource.getAlias() != null) { if (LOG.isDebugEnabled()) LOG.debug("Aliased resource: " + resource + "~=" + resource.getAlias()); // alias checks for (Iterator<AliasCheck> i=_aliasChecks.iterator();i.hasNext();) { AliasCheck check = i.next(); if (check.check(path,resource)) { if (LOG.isDebugEnabled()) LOG.debug("Aliased resource: " + resource + " approved by " + check); return true; } } return false; } return true; }


    // ...

    }

    ##############################################################################################
    # END OF MESSAGE!  -- yes, finally :-)
    ##############################################################################################




    <div>Hi,<div>
    <div><br></div>
    <div>Orion is in the right track overall and I love it!</div>
    </div>
    <div><br></div>
    <div>That being said, I have encountered an issue (described below) that makes me even consider putting it aside, at least for the moment, and looking for other options :-(</div>
    <div><br></div>
    <div>Here is a bug-report, which started as a couple of questions (that matter a lot in my particular case) and turned out to be a comprehensive bug-report/feature-request.</div>
    <div><br></div>
    <div>=============================================</div>
    <div>VERY BRIEFLY:</div>
    <div>=============================================</div>
    <div>1) Is there any way to get Orion to follow symbolic links while browsing a file system location on the server side (attached to the user's workspace via New&gt;Link to Server) and for editing files that happen to be aliases (symlinks)?</div>
    <div>
    <span class="Apple-tab-span">	</span>(I am otherwise able to browse that location and edit files within it, as long as any of the directories and files involved are not symlinks).</div>
    <div><br></div>
    <div>2) Alternatively, is there any way to influence the configuration of the embedded Jetty web server in a standard Orion distribution?&nbsp;</div>
    <div><br></div>
    <div>
    <span class="Apple-tab-span">	</span>UPDATE: &nbsp;My further investigation has shown that, even if that is possible, it would not really help for the question at hand, because Orion seems to use an Orion-specific servlet (NewFileServlet) to serve up the "/file" URL space.</div>
    <div>
    <span class="Apple-tab-span">	</span>NewFileServlet, which does not seem to even inherit from the Jetty DefaultServlet, appears to have a pretty hard coded "Forbid" approach when it comes to symlinks. Bummer.</div>
    <div><br></div>
    <div>
    <span class="Apple-tab-span">	</span>However, this question (2) still remains to be an interesting in general for other potential Orion server administration use cases.</div>
    <div><br></div>
    <div>Please see below for a detailed description of the issue and the test environment, as well as the results of preliminary investigation that suggests that the resolution of the issue requires a code-change (which could be quite minor)</div>
    <div>at least in the&nbsp;NewFileServlet.java source file on the Orion 5.0 code branch (relevant code snippet given below).</div>
    <div><br></div>
    <div>Since this topic could have some pretty serious impact on security at least on some OS platforms and/or file systems, I thought it might be worthwhile to see how this is handled in Jetty, which is a more mature project,&nbsp;</div>
    <div>and found the relevant code snippets from Jetty 8.x code line&nbsp;(which happens to be the Jetty release that Orion 5.x currently embeds). Those relevant code snippets from Jetty 8.x &nbsp;can also be seen down below in this message.</div>
    <div><br></div>
    <div>Finally, it might be worthwhile to note that, according to Jetty documentation, Jetty 9 makes an attempt to handle the question in a completely different way,&nbsp;</div>
    <div>allowing for much more fine grained control over permissions on file and directory "aliases" (in Jetty parlance).</div>
    <div><br></div>
    <div><br></div>
    <div>P.S. :&nbsp;I do realise this is rather extremely long message.&nbsp;</div>
    <div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;However, I do think it is useful information constituting something like a preliminary investigation on the question, even providing hints on how to solve the issue.</div>
    <div>
    <span class="Apple-tab-span">	</span>&nbsp;I think of it as a bug report that comes already with some investigation that could be useful for the folks who will get around fixing it in the future (perhaps even myself, if I get around some of the Orion internals).</div>
    <div>
    <span class="Apple-tab-span">	</span>&nbsp;<span class="Apple-tab-span">	</span>&nbsp;</div>
    <div><br></div>
    <div><br></div>
    <div><br></div>
    <div><br></div>
    <div><br></div>
    <div><br></div>
    <div>
    <div>##############################################################################################</div>
    <div>#&nbsp;THE GORY DETAILS :</div>
    <div>##############################################################################################</div>
    </div>
    <div><br></div>
    <div>My Orion 5.0 installation seems to be working just fine except this issue.</div>
    <div>&nbsp;</div>
    <div>I have successfully attached "/home/example" as a new location (named "example") in my workspace, doing the necessary changes in "orion.conf" like so:</div>
    <div>
    <span class="Apple-tab-span">	</span>orion.file.allowedPaths=/home/ide/serverworkspace,/home/example</div>
    <div><br></div>
    <div>I am able to browse the attached location and edit files within it, after tweaking file permissions on the server filesystem for everything under "/home/example".</div>
    <div><br></div>
    <div>So far, so good.</div>
    <div><br></div>
    <div>The only catch: Orion refuses to follow symlinks within the "example" location, displaying a message that goes "Forbidden: ....".</div>
    <div>Observing the OSGI console on the server side suggests that it is indeed the orion server that responds with an HTTP error condition (403 Forbidden).</div>
    <div><br></div>
    <div>According to Jetty documentation, by default, Jetty will refuse to follow file and directory aliases (which includes symlinks among other similar strange things).</div>
    <div>This seems to be construed as a "security feature" of Jetty, according to their documentation.</div>
    <div><br></div>
    <div>Luckily, Jetty seems to allow overriding that paranoid behaviour by setting and init-param ("aliases") to "true" on the "DefaultServlet" (<span>org.eclipse.jetty.servlet.DefaultServlet) in "jetty.xml".</span>
    </div>
    <div>Therefore, I figured: if I can somehow influence the configuration of the embedded Jetty in Orion, &nbsp;it could be a pretty happy end to the story.</div>
    <div><br></div>
    <div>After quite a bit of searching, I stumbled upon the "plugin.xml" file within the "eclipse/plugin/org.eclipse.orion.server.configurator_1.0.0.v20140221-1503" directory, that appeared quite promising.</div>
    <div>Browsing through the various "servlet" configurations in "plugin.xml", I found the servlet that is aliased as "/file" within the Orion URL space.</div>
    <div><br></div>
    <div>However, it looks like the "/file" URL space is served up by an Orion-specific servlet (org.eclipse.orion.internal.server.servlets.file.NewFileServlet),&nbsp;</div>
    <div>and not the DefaultServlet (<span>org.eclipse.jetty.servlet.DefaultServlet)&nbsp;</span>from Jetty.</div>
    <div><br></div>
    <div>That's a bummer, because Jetty seems to allow overriding the paranoid behaviour of forbidding to follow symlinks altogether by setting an init-param ("aliases") to "true" on the "DefaultServlet" (<span>org.eclipse.jetty.servlet.DefaultServlet) in "jetty.xml".</span>
    </div>
    <div>That kind of configuration option would have saved my day today :-(</div>
    <div><br></div>
    <div>First, I naively tried setting the "aliases" &lt;init-parameter&gt; to "true" in the servlet configuration for the "/file" space in "plugin.xml" anyway, similar to the way one would do in jetty.xml, just to see what happens.</div>
    <div>Naturally, that did not have any effect on the problem at hand, since, as I found out later, Orion's "NewFileServlet" doesn't even inherit from Jetty's "DefaultServlet" (and for good reasons).</div>
    <div><br></div>
    <div>As a final ditch, I dug up the source code of Orion's "NewFileServlet" to see if there was still any hope to find any administrator configurable behaviour in there concerning the question.</div>
    <div>==&gt; Nope. It turns out, that particular behaviour (of forbidding symlinks) is pretty hard-coded into the "doGet()" method of "NewFileServlet", and the other doXXX() methods just call the "doGet()" method</div>
    <div>to do their job.</div>
    <div><br></div>
    <div>Then, by curiosity, I dug up Jetty 8.x sources to see how this question is handled there. It turns out Jetty 8.x handles this in a pretty straight forward way.</div>
    <div>In Jetty parlance, we are talking about a file or directory "alias" here (which includes symlinks, but also other stuff like NFS strangenesses and so on).</div>
    <div><br></div>
    <div>
    <span class="Apple-tab-span">	</span>- Jetty determines whether a file resource is an "alias" (symlink, etc) by simply comparing its initial path to its canonical path. &nbsp;</div>
    <div>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;If those do not match, then the resource is considered an "alias"</div>
    <div><br></div>
    <div>
    <span class="Apple-tab-span">	</span>- Then, Jetty checks if the configuration setting (which happens to be the "aliases" init-param) allows accessing/following such a resource.</div>
    <div>
    <span class="Apple-tab-span">		</span>*) If so, Jetty just serves up the "alias". BINGO. &nbsp; &nbsp; (presumably, this gets ultimately handled by low level Java IO calls via the system specific calls on the particular OS platform for reading/writing/.. files)</div>
    <div>
    <span class="Apple-tab-span">		</span>*) If not (which is the default), then Jetty behaves in pretty much the same way as Orion, forbidding the action.</div>
    <div><br></div>
    <div>Naturally, there is some pretty nice&nbsp;plumbing&nbsp;code around that as well (obtaining the relevant configuration option as well the alias checking code within all encapsulated the ContextHandler).</div>
    <div><br></div>
    <div>I thought this could be helpful for the folk(s) who will actually get around implementing something similar (at least in terms of capabilities) within Orion server.&nbsp;</div>
    <div>That could even include me &nbsp;-- if I ever get around really learning the internals of Orion, Equinox, Eclipse, ... (and start coding in Java)</div>
    <div><br></div>
    <div>In any case, I could probably help in specifying the behaviour and testing the actual implementation, and even take a stab at documenting it when done.</div>
    <div><br></div>
    <div>If you have actually continued reading this text up to this point, please let me know, and I'll buy you beer if you are in Paris (France) some day :-)</div>
    <div><br></div>
    <div>If you also go ahead and skim through the appendices below (i..e. yes, even the gorier details), &nbsp;then it will have to be a bottle of French wine with extra goodies :-)</div>
    <div><br></div>
    <div>Those further details included below are:</div>
    <div>
    <span class="Apple-tab-span">	</span>- My particular constraints</div>
    <div>
    <span class="Apple-tab-span">	</span>- My test environment (server &amp; client)</div>
    <div>
    <span class="Apple-tab-span">	</span>- Source code snippet from Orion 5.0 &nbsp;deemed relevant from &nbsp;"org.eclipse.orion.internal.server.servlets.file.NewFileServlet"</div>
    <div>
    <span class="Apple-tab-span">	</span>-&nbsp;Source code snippet from Jetty 8.x &nbsp; deemed relevant from &nbsp;<span><span>&nbsp;"org.eclipse.jetty.server.handler.</span></span><span>ContextHandler"</span>
    </div>
    <div>
    <span class="Apple-tab-span">		</span>-- There is actually also some related code in Jetty's "DefaultServlet" implementation that just obtains the configuration settings and sets the corresponding property of the context initially. &nbsp;&nbsp;</div>
    <div>&nbsp;<span class="Apple-tab-span">		</span>&nbsp; &nbsp;&nbsp;I haven't included that snippet, because that part is pretty straight-forward.</div>
    <div><br></div>
    <div>Cheers,</div>
    <div>Ayhan</div>
    <div>&nbsp;</div>
    <div><br></div>
    <div><br></div>
    <div>
    <div>##############################################################################################</div>
    <div>#&nbsp;MY CONSTRAINTS:</div>
    <div>##############################################################################################</div>
    </div>
    <div><br></div>
    <div>
    <ol class="MailOutline"><li>I cannot do without the symlinks. &nbsp;&nbsp;</li></ol>
    <ul class=""><li>Because, for various reasons, I am not able to change the way the files/directories are organised within the existing attached location, which contains a bunch of symlinks on some files and directories.<br><br>
    </li></ul>
    <li>If at all possible, I really would like to avoid having to cook myself a WAR deployment of Orion.</li>
    <ul class=""><li>Because, as it seems, Orion does is not -yet- distributed with a WAR deployment option, not even a boiler-plate.&nbsp;<br>Since I know how ignorant I am on WAR-cracft (and even on Java), it would take me several days to get something up and running, if I ever get there;&nbsp;<br><br>
    </li></ul>
    <li>Did I tell you I am in a hurry (for an urgent task)? &nbsp; &nbsp;-- but aren't we all? :-)<br><br>
    </li>
    <li>I love Orion so far.</li>
    <ul class=""><li>But if I can't find a resolution (even an acceptable workaround) to this issue in a day or so, I will probably find myself out there looking for an alternative to Orion... :-(</li></ul>
    </div>
    <div><br></div>
    <div><br></div>
    <div><br></div>
    <div>##############################################################################################</div>
    <div># EVEN GORIER DETAILS:</div>
    <div><div>##############################################################################################</div></div>
    <div><br></div>
    <div>#------------------------------------------------------------------------------------</div>
    <div># MY SERVER ENVIRONMENT&nbsp;(most probably irrelevant):</div>
    <div><div>#------------------------------------------------------------------------------------</div></div>
    <div>Orion release <span class="Apple-tab-span">		</span>= 5.0 (latest as of today)</div>
    <div>Server OS &nbsp; &nbsp; &nbsp;<span class="Apple-tab-span">		</span>= Debian (weezy)</div>
    <div>Java version&nbsp;<span class="Apple-tab-span">	</span>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;= "1.6.0_27"</div>
    <div>JRE<span class="Apple-tab-span">				</span>= OpenJDK Runtime Environment (IcedTea6 1.12.5) (6b27-1.12.5-1)</div>
    <div><br></div>
    <div># The Java Security Policy on the server machine ("/etc/java-6-openjdk/security/java.policy") now contains the following snippet (as a result of my failed attempts of hacking a solution to the pro:</div>
    <div><br></div>
    <div>
    <span class="Apple-tab-span">	</span>grant {</div>
    <div>
    <span class="Apple-tab-span">		</span>#&nbsp;...</div>
    <div>
    <span class="Apple-tab-span">		</span>permission java.io.FilePermission "/home/example/-", "read,write,delete,execute,readlink";</div>
    <div>
    <span class="Apple-tab-span">		</span># ...</div>
    <div>
    <span class="Apple-tab-span">	</span>};</div>
    <div><br></div>
    <div># Naturally, when the issue is resolved, I will restrict the "grant" to a given codeBase (which one?), but for the moment it's wide open :-)</div>
    <div><br></div>
    <div>
    <div>#------------------------------------------------------------------------------------</div>
    <div># MY CLIENT ENVIRONMENT (most probably irrelevant):</div>
    <div>#------------------------------------------------------------------------------------</div>
    </div>
    <div>OS&nbsp;<span class="Apple-tab-span">				</span>= Mac OS X 10.8.x (Mountain Lion)</div>
    <div>Browser<span class="Apple-tab-span">			</span>= Chrome &amp; Safari (tried both)</div>
    <div><br></div>
    <div><br></div>
    <div><br></div>
    <div><br></div>
    <div>
    <div>#==========================================================================================================</div>
    <div># RELEVANT ORION 5.0 SOURCE CODE &nbsp;snippet - &nbsp;which clearly suggests that Orion 5.0 forbids symbolic links (symlinks) altogether at this time.</div>
    <div># &nbsp; &nbsp; &nbsp;</div>
    <div># &nbsp; &nbsp;&nbsp;The following code snippet was obtained&nbsp;from the&nbsp;eclipse's official git repository&nbsp; <at>  around 2014-03-30T00:25:00GMT</div>
    <div>#</div>
    <div># &nbsp; &nbsp; via URL:&nbsp;<a href="http://git.eclipse.org/c/orion/org.eclipse.orion.server.git/tree/bundles/org.eclipse.orion.server.servlets/src/org/eclipse/orion/internal/server/servlets/file/NewFileServlet.java">http://git.eclipse.org/c/orion/org.eclipse.orion.server.git/tree/bundles/org.eclipse.orion.server.servlets/src/org/eclipse/orion/internal/server/servlets/file/NewFileServlet.java</a>
    </div>
    <div>#</div>
    <div># &nbsp; &nbsp; The code snippet involved is basically the "doGet" method of&nbsp;<span>NewFileServlet.</span>
    </div>
    <div>#</div>
    <div># &nbsp; &nbsp; // ... denotes omitted content deemed to be irrelevant.</div>
    <div>#==========================================================================================================</div>
    </div>
    <div><br></div>
    <div>// ...</div>
    <div>package org.eclipse.orion.internal.server.servlets.file;<div><br></div>
    </div>
    <div>// ...</div>
    <div><br></div>
    <div>public class NewFileServlet extends OrionServlet {
    </div>
    <div><span><br></span></div>
    <div><span>// ...</span></div>
    <div><br></div>
    <div>// lines of interest: [54 - 108]</div>
    <div>	 <at> Override
    	protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    		traceRequest(req);
    		String pathInfo = req.getPathInfo();
    		IPath path = pathInfo == null ? Path.ROOT : new Path(pathInfo);
    
    		// prevent path canonicalization hacks
    		if (pathInfo != null &amp;&amp; !pathInfo.equals(path.toString())) {
    			handleException(resp, new ServerStatus(IStatus.ERROR, HttpServletResponse.SC_FORBIDDEN, NLS.bind("Forbidden: {0}", pathInfo), null));
    			return;
    		}
    		//don't allow anyone to mess with metadata
    		if (path.segmentCount() &gt; 0 &amp;&amp; ".metadata".equals(path.segment(0))) { //$NON-NLS-1$
    			handleException(resp, new ServerStatus(IStatus.ERROR, HttpServletResponse.SC_FORBIDDEN, NLS.bind("Forbidden: {0}", pathInfo), null));
    			return;
    		}
    		IFileStore file = getFileStore(req, path);
    		IFileStore testLink = file;
    		while (testLink != null) {
    			IFileInfo info = testLink.fetchInfo();
    			if (info.getAttribute(EFS.ATTRIBUTE_SYMLINK)) {
    				if (file == testLink) {
    					handleException(resp, new ServerStatus(IStatus.ERROR, HttpServletResponse.SC_FORBIDDEN, NLS.bind("Forbidden: {0}", pathInfo), null));
    				} else {
    					handleException(resp, new ServerStatus(IStatus.ERROR, HttpServletResponse.SC_NOT_FOUND, NLS.bind("File not found: {0}", pathInfo), null));
    				}
    				return;
    			}
    			testLink = testLink.getParent();
    		}
    
    		if (file == null) {
    			handleException(resp, new ServerStatus(IStatus.ERROR, HttpServletResponse.SC_NOT_FOUND, NLS.bind("File not found: {0}", pathInfo), null));
    			return;
    		}
    		if (fileSerializer.handleRequest(req, resp, file))
    			return;
    		// finally invoke super to return an error for requests we don't know how to handle
    		super.doGet(req, resp);
    	}
    
    	 <at> Override
    	protected void doDelete(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    		doGet(req, resp);
    	}
    
    	 <at> Override
    	protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    		doGet(req, resp);
    	}
    
    	 <at> Override
    	protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    		doGet(req, resp);
    	}
    </div>
    <div><br></div>
    <div>// ...</div>
    <div><br></div>
    <div>}</div>
    <div><br></div>
    <div><br></div>
    <div><br></div>
    <div><br></div>
    <div>
    <div>#==========================================================================================================</div>
    <div># RELEVANT JETTY 8.x SOURCE CODE snippet that handles file and directory "aliases" (including symlinks)</div>
    <div>#</div>
    <div># &nbsp; &nbsp; This Jetty 8.x code snippet could perhaps be an inspiration for Orion 5.x (based on Jetty 8.x for the moment).&nbsp;</div>
    <div>&nbsp;# &nbsp; &nbsp;Note that Jetty 9.x seems to be handling this question in a completely different fashion, allowing for more granular control.</div>
    <div># &nbsp; &nbsp; &nbsp;</div>
    <div># &nbsp; &nbsp; The following code snippet was obtained from the eclipse's official git repository&nbsp; <at>  around 2014-03-30T00:25:00GMT</div>
    <div># &nbsp; &nbsp;&nbsp;via URL:&nbsp;<a href="http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/tree/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java?h=jetty-8">http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/tree/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java?h=jetty-8</a>
    </div>
    <div>#</div>
    <div># &nbsp; &nbsp; // ... denotes omitted content deemed to be irrelevant.</div>
    <div><div>#==========================================================================================================</div></div>
    </div>
    <div><br></div>
    <div>// ...</div>
    <div><span>package &nbsp; = &nbsp;org.eclipse.jetty.server.handler;</span></div>
    <div><span><br></span></div>
    <div>// ...</div>
    <div><br></div>
    <div>public class ContextHandler extends ScopedHandler implements Attributes, Server.Graceful
    {<div><br></div>
    </div>
    <div>// ...</div>
    <div><br></div>
    <div>// **** &nbsp;lines of interest: [1570 - 1618] ***************************</div>
    <div> public Resource getResource(String path) throws MalformedURLException
        {
            if (path == null || !path.startsWith(URIUtil.SLASH))
                throw new MalformedURLException(path);
    
            if (_baseResource == null)
                return null;
    
            try
            {
                path = URIUtil.canonicalPath(path);
                Resource resource = _baseResource.addPath(path);
    
                if (checkAlias(path,resource))
                    return resource;
                return null;
            }
            catch (Exception e)
            {
                LOG.ignore(e);
            }
    
            return null;
        }
    
        /* ------------------------------------------------------------ */
        public boolean checkAlias(String path, Resource resource)
        {
            // Is the resource aliased?
            if (!_aliasesAllowed &amp;&amp; resource.getAlias() != null)
            {
                if (LOG.isDebugEnabled())
                    LOG.debug("Aliased resource: " + resource + "~=" + resource.getAlias());
    
                // alias checks
                for (Iterator&lt;AliasCheck&gt; i=_aliasChecks.iterator();i.hasNext();)
                {
                    AliasCheck check = i.next();
                    if (check.check(path,resource))
                    {
                        if (LOG.isDebugEnabled())
                            LOG.debug("Aliased resource: " + resource + " approved by " + check);
                        return true;
                    }
                }
                return false;
            }
            return true;
        }
    </div>
    <div><br></div>
    <div><br></div>
    <div>// ...</div>
    <div><br></div>
    <div>}<div><br></div>
    </div>
    <div>
    <div>##############################################################################################</div>
    <div># END OF MESSAGE! &nbsp;-- yes, finally :-)</div>
    <div>##############################################################################################</div>
    </div>
    <div><br></div>
    <div><br></div>
    <div><br></div>
    <div><br></div>
    <div><span class="Apple-tab-span">	</span></div>
    </div>
    
    John Arthorne | 27 Mar 18:45 2014
    Picon

    [orion-dev] Orion Meeting Minutes - March 27, 2014

    https://wiki.eclipse.org/Orion/Meeting_minutes/20140327

    John
    <div>
    <a href="https://wiki.eclipse.org/Orion/Meeting_minutes/20140327">https://wiki.eclipse.org/Orion/Meeting_minutes/20140327</a>
    <br><br>John
    <br>
    </div>
    
    Bakhtiyor Homidov | 27 Mar 13:27 2014
    Picon

    [orion-dev] About similar projects

    Hi there,

    What's different from Ace & CodeMirror?
    What are have disadvantages/advantages from these editors?
    Are you reinventing existent code editors?

    Thanks,
    Bakhtiyor

    --
    Bakhtiyor Hamidov | Jr. Ruby Developer



    <div><div dir="ltr">
    <div>
    <div>Hi there,<br><br>What's different from Ace &amp; CodeMirror? <br>What are have disadvantages/advantages from these editors?<br>Are you reinventing existent code editors?<br><br>
    </div>Thanks,<br>
    </div>Bakhtiyor<br><br><div><div><div>--<br clear="all"><div><div dir="ltr">Bakhtiyor Hamidov | Jr. Ruby Developer<div>Mobile | <a href="tel:%28%2B992%29%2090%207682262" value="+992907682262" target="_blank">(+992) 90 7682262</a>
    </div>
    <div>Skype | <a>hbakhtiyor</a><br><div><a href="mailto:bakhtiyor.h@..." target="_blank">bakhtiyor.h <at> gmail.com</a></div>
    </div>
    <div><br></div>
    <div>
    <a href="http://www.linkedin.com/in/hbakhtiyor/" target="_blank">My&nbsp;Linkedin Profile</a>&nbsp; <a href="https://github.com/hbakhtiyor" target="_blank">My Github Profile</a>
    </div>
    
    <div><br></div>
    <div><br></div>
    </div></div>
    </div></div></div>
    </div></div>
    

    [orion-dev] Welcome Curtis Windatt as a new eclipse.orion Committer

    eclipse.orion Committers,
    This automatically generated message marks the completion of all the legal
    paperwork and webmaster provisioning for Curtis Windatt. Curtis Windatt is
    a new full Committer on the eclipse.orion project.
    
    Welcome!
    
    Anthony Hunter | 24 Mar 16:07 2014
    Picon

    [orion-dev] New Orion Downloads Page

    Hi Team,

    We have a "new" Orion downloads page at http://download.eclipse.org/orion/ . I have now started to publish builds from the hudson build [1]. We will have two sets of builds on the build page for a while. The PDE builds have no dash in the date like http://download.eclipse.org/orion/drops/I201403232230/index.html and the new builds published from hudson have a dash like http://download.eclipse.org/orion/drops/I20140324-0609/index.html .

    There are still a few tweaks that need to happen to make the publish work properly but if there are any issues let me know.

    [1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=415604

    Cheers...
    Anthony
    <div>Hi Team,
    <br><br>We have a "new" Orion downloads
    page at <a href="http://download.eclipse.org/orion/">http://download.eclipse.org/orion/</a>
    . I have now started to publish builds from the hudson build [1]. We will
    have two sets of builds on the build page for a while. The PDE builds have
    no dash in the date like <a href="http://download.eclipse.org/orion/drops/I201403232230/index.html">http://download.eclipse.org/orion/drops/I201403232230/index.html</a>
    and the new builds published from hudson have a dash like <a href="http://download.eclipse.org/orion/drops/I20140324-0609/index.html">http://download.eclipse.org/orion/drops/I20140324-0609/index.html</a>
    .
    <br><br>There are still a few tweaks that need
    to happen to make the publish work properly but if there are any issues
    let me know.
    <br><br>[1] <a href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=415604">https://bugs.eclipse.org/bugs/show_bug.cgi?id=415604</a>
    <br><br>Cheers...<br>
    Anthony<br>
    </div>
    
    Anthony Hunter | 21 Mar 18:49 2014
    Picon

    [orion-dev] Moved the Orion Target to use Luna M6

    Hi Team,

    I have updated the Orion target ( org.eclipse.orion.target/org.eclipse.orion.target.target ) to the repositories published with the latest Luna M6 milestone.

    I did some brief testing and everything seems good. I also ran a successful tycho/maven build on my workstation.

    This was bug https://bugs.eclipse.org/bugs/show_bug.cgi?id=430300.

    Cheers...
    Anthony
    <div>Hi Team,
    <br><br>I have updated the Orion target ( org.eclipse.orion.target/org.eclipse.orion.target.target
    ) to the repositories published with the latest Luna M6 milestone.
    <br><br>I did some brief testing and everything
    seems good. I also ran a successful tycho/maven build on my workstation.
    
    <br><br>This was bug <a href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=430300">https://bugs.eclipse.org/bugs/show_bug.cgi?id=430300</a>.
    <br><br>Cheers...<br>
    Anthony<br>
    </div>
    

    Gmane