svn commit: r897358 - in /tapestry/tapestry5/trunk: src/site/apt/upgrade.apt tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java

Fri, 08 Jan 2010 16:47:07 -0800 

Author: hlship
Date: Sat Jan  9 00:46:42 2010
New Revision: 897358

URL: http://svn.apache.org/viewvc?rev=897358&view=rev
Log:
Improve some documentation about upgrades and Asset security

Modified:
    tapestry/tapestry5/trunk/src/site/apt/upgrade.apt
    
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java

Modified: tapestry/tapestry5/trunk/src/site/apt/upgrade.apt
URL: 
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/src/site/apt/upgrade.apt?rev=897358&r1=897357&r2=897358&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/src/site/apt/upgrade.apt (original)
+++ tapestry/tapestry5/trunk/src/site/apt/upgrade.apt Sat Jan  9 00:46:42 2010
@@ -14,6 +14,16 @@
 
 Release 5.2.0
 
+* Asset Security
+
+  Tapestry now includes a new mechanism for ensuring the security of 
server-side assets, addressing a bug
+  that allowed a malicious user to search and download any file on the 
classpath. The new approach
+  is more secure, but is based on explicitly extending access; some existing 
frameworks (created to
+  be compatible with Tapestry 5.1) will need additional configuration to 
extend access to their
+  assets.  See the {{{guide/assets.html}notes on securing Assets}}. 
+
+* Template Parser back to SAX
+
   Tapestry no longer uses a StAX parser (it uses a normal SAX parser) to parse 
template. This change
   reduces the number of dependencies for Tapestry, and is a stepping stone to 
compatibility with
   Google App Engine.

Modified: 
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java
URL: 
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java?rev=897358&r1=897357&r2=897358&view=diff
==============================================================================
--- 
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java
 (original)
+++ 
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java
 Sat Jan  9 00:46:42 2010
@@ -4,7 +4,7 @@
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
-//      http://www.apache.org/licenses/LICENSE-2.0
+// http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ -14,6 +14,7 @@
 
 package org.apache.tapestry5.internal.services;
 
+import org.apache.tapestry5.ioc.annotations.UsesConfiguration;
 import org.apache.tapestry5.services.AssetPathAuthorizer;
 
 import java.util.ArrayList;
@@ -30,35 +31,32 @@
  * the whitelist authorizer, which has an explicit deny policy.
  * Hence, as long as the whitelist authorizer is being used in conjunction with
  * the regex authorizer, there is no need to worry about accessDenied in this 
authorizer.
- *
  */
+...@usesconfiguration(String.class)
 public class RegexAuthorizer implements AssetPathAuthorizer
 {
-    
+
     private final Collection<Pattern> _regexes;
-    
+
     public RegexAuthorizer(final Collection<String> regex)
     {
-        //an alternate way to construct this would be to make sure that each 
pattern is grouped
-        //and then to regex or the various patterns together into a single 
pattern.
-        //that might be faster, but probably not enough to make a difference, 
and this is cleaner.
+        // an alternate way to construct this would be to make sure that each 
pattern is grouped
+        // and then to regex or the various patterns together into a single 
pattern.
+        // that might be faster, but probably not enough to make a difference, 
and this is cleaner.
         List<Pattern> tmp = new ArrayList<Pattern>();
-        for(String exp : regex)
+        for (String exp : regex)
         {
             tmp.add(Pattern.compile(exp));
         }
         _regexes = Collections.unmodifiableCollection(tmp);
-        
+
     }
 
     public boolean accessAllowed(String resourcePath)
     {
-        for(Pattern regex : _regexes)
+        for (Pattern regex : _regexes)
         {
-            if (regex.matcher(resourcePath).matches())
-            {
-                return true;
-            }
+            if (regex.matcher(resourcePath).matches()) { return true; }
         }
         return false;
     }
@@ -68,7 +66,7 @@
         return false;
     }
 
-    public List<Order> order() 
+    public List<Order> order()
     {
         return Arrays.asList(Order.ALLOW);
     }

Reply via email to