[jira] Created: (TAP5-1005) The asset protection fails for some URLS in Tomcat

Fri, 05 Feb 2010 05:32:59 -0800 

The asset protection fails for some URLS in Tomcat
--------------------------------------------------

                 Key: TAP5-1005
                 URL: https://issues.apache.org/jira/browse/TAP5-1005
             Project: Tapestry 5
          Issue Type: Bug
          Components: tapestry-core
    Affects Versions: 5.1.0.7, 5.1.0.6
            Reporter: Sebastian Hennebrueder


A URL like
/mycontext/assets/de displays a file index on Tomcat 6 whereas 
/mycontext/assets/de/ denies access correctly.
In fact any URL which is not a file and does not end with a / leeds to a 
directory index.

I fixed this with a BlackListAuthorizer for my application.
The URL /mycontext/assets/de leads to an empty 'someResourcePath' variable
/mycontext/assets/de/foo leads to de/foo as variable value. My solution denies 
access for an empty resource path and in case that the last segment has no . I 
assume that in that case it is not a file like foo.jpg.

Best Regards
Sebastian Hennebrueder
http://www.laliluna.de

public class BlacklistAuthorizer implements AssetPathAuthorizer {

        final Logger logger = 
LoggerFactory.getLogger(BlacklistAuthorizer.class);
        private final Collection<String> configuration;

        public BlacklistAuthorizer(final Collection<String> configuration) {
                this.configuration = configuration;
        }

        public boolean accessAllowed(final String someResourcePath) {
                return true;
        }

        public boolean accessDenied(final String someResourcePath) {

                if (someResourcePath.endsWith("/")) {
                        logger.debug("Denying access to {}", someResourcePath);
                        return true;
                }
                if (someResourcePath.equals("")) {
                        // this is mostly a bug fix for Tomcat for paths 
without trailing / like /assets/foo
                        logger.debug("Denying access to empty resource path", 
someResourcePath);
                        return true;
                }

                int pos = someResourcePath.lastIndexOf('/');
                if (pos < 0)
                        pos = 0;
                String ending = someResourcePath.substring(pos);
                if (ending.indexOf('.') == -1) {
                        // not a file like foo.pdf or foo.js
                        logger.debug("Denying access to {}", someResourcePath);
                        return true;
                }
                return false;
        }

        public List<Order> order() {
                return Arrays.asList(Order.DENY, Order.ALLOW);
        }

}

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to