Repository: tapestry-5 Updated Branches: refs/heads/master a59d6271c -> d2d924735
TAP5-2601: Add configurable service to block access to classpath assets Project: http://git-wip-us.apache.org/repos/asf/tapestry-5/repo Commit: http://git-wip-us.apache.org/repos/asf/tapestry-5/commit/d2d92473 Tree: http://git-wip-us.apache.org/repos/asf/tapestry-5/tree/d2d92473 Diff: http://git-wip-us.apache.org/repos/asf/tapestry-5/diff/d2d92473 Branch: refs/heads/master Commit: d2d9247358fe5cb35e3fa34db906a49287730e9e Parents: a59d627 Author: Thiago H. de Paula Figueiredo <[email protected]> Authored: Fri Nov 23 16:35:40 2018 -0200 Committer: Thiago H. de Paula Figueiredo <[email protected]> Committed: Fri Nov 23 16:35:40 2018 -0200 ---------------------------------------------------------------------- .../apache/tapestry5/modules/AssetsModule.java | 30 +++++++++++++++--- .../services/ClasspathAssetProtectionRule.java | 33 ++++++++++++++++++++ .../src/test/app1/AssetProtectionDemo.tml | 3 ++ .../app1/fakeconfiguration.properties | 1 + .../integration/app1/fakeconfiguration.xml | 1 + 5 files changed, 64 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/d2d92473/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java ---------------------------------------------------------------------- diff --git a/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java b/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java index bc306a3..16ab378 100644 --- a/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java +++ b/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java @@ -12,6 +12,9 @@ package org.apache.tapestry5.modules; +import java.util.List; +import java.util.Map; + import org.apache.tapestry5.SymbolConstants; import org.apache.tapestry5.internal.AssetConstants; import org.apache.tapestry5.internal.InternalConstants; @@ -20,6 +23,7 @@ import org.apache.tapestry5.internal.services.assets.*; import org.apache.tapestry5.internal.services.messages.ClientLocalizationMessageResource; import org.apache.tapestry5.ioc.*; import org.apache.tapestry5.ioc.annotations.*; +import org.apache.tapestry5.ioc.services.ChainBuilder; import org.apache.tapestry5.ioc.services.FactoryDefaults; import org.apache.tapestry5.ioc.services.SymbolProvider; import org.apache.tapestry5.services.*; @@ -27,8 +31,6 @@ import org.apache.tapestry5.services.assets.*; import org.apache.tapestry5.services.javascript.JavaScriptStackSource; import org.apache.tapestry5.services.messages.ComponentMessagesSource; -import java.util.Map; - /** * @since 5.3 */ @@ -272,7 +274,8 @@ public class AssetsModule ClasspathAssetAliasManager classpathAssetAliasManager, ResourceStreamer streamer, - AssetSource assetSource) + AssetSource assetSource, + ClasspathAssetProtectionRule classpathAssetProtectionRule) { Map<String, String> mappings = classpathAssetAliasManager.getMappings(); @@ -280,7 +283,7 @@ public class AssetsModule { String path = mappings.get(folder); - configuration.add(folder, new ClasspathAssetRequestHandler(streamer, assetSource, path)); + configuration.add(folder, new ClasspathAssetRequestHandler(streamer, assetSource, path, classpathAssetProtectionRule)); } configuration.add(RequestConstants.CONTEXT_FOLDER, @@ -353,4 +356,23 @@ public class AssetsModule configuration.add("Asset", assetDispatcher, "before:ComponentEvent"); } + + @Primary + public static ClasspathAssetProtectionRule buildClasspathAssetProtectionRule( + List<ClasspathAssetProtectionRule> rules, ChainBuilder chainBuilder) + { + return chainBuilder.build(ClasspathAssetProtectionRule.class, rules); + } + + public static void contributeClasspathAssetProtectionRule( + OrderedConfiguration<ClasspathAssetProtectionRule> configuration) + { + ClasspathAssetProtectionRule classFileRule = (s) -> s.toLowerCase().endsWith(".class"); + configuration.add("ClassFile", classFileRule); + ClasspathAssetProtectionRule propertiesFileRule = (s) -> s.toLowerCase().endsWith(".properties"); + configuration.add("PropertiesFile", propertiesFileRule); + ClasspathAssetProtectionRule xmlFileRule = (s) -> s.toLowerCase().endsWith(".xml"); + configuration.add("XMLFile", xmlFileRule); + } + } http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/d2d92473/tapestry-core/src/main/java/org/apache/tapestry5/services/ClasspathAssetProtectionRule.java ---------------------------------------------------------------------- diff --git a/tapestry-core/src/main/java/org/apache/tapestry5/services/ClasspathAssetProtectionRule.java b/tapestry-core/src/main/java/org/apache/tapestry5/services/ClasspathAssetProtectionRule.java new file mode 100644 index 0000000..6f8af44 --- /dev/null +++ b/tapestry-core/src/main/java/org/apache/tapestry5/services/ClasspathAssetProtectionRule.java @@ -0,0 +1,33 @@ +// Copyright 2018 The Apache Software Foundation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package org.apache.tapestry5.services; + +import org.apache.tapestry5.ioc.annotations.UsesOrderedConfiguration; + +/** + * Chain-of-responsibility service which defines rules for blocking access to classpath resources + * based on their paths. Access is blocked if any rule says it should be blocked. + * + * @see ComponentEventRequestHandler + */ +@UsesOrderedConfiguration(ClasspathAssetProtectionRule.class) +public interface ClasspathAssetProtectionRule +{ + /** + * Tells whether the access to the resource with this path should be blocked or not. + * If this rule doesn't concern the given path, it should return false. + */ + public boolean block(String path); +} http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/d2d92473/tapestry-core/src/test/app1/AssetProtectionDemo.tml ---------------------------------------------------------------------- diff --git a/tapestry-core/src/test/app1/AssetProtectionDemo.tml b/tapestry-core/src/test/app1/AssetProtectionDemo.tml index e5e99db..e21bc61 100644 --- a/tapestry-core/src/test/app1/AssetProtectionDemo.tml +++ b/tapestry-core/src/test/app1/AssetProtectionDemo.tml @@ -16,6 +16,9 @@ <li><a href="${asset:context:META-INF/unavailable2.txt}">unavailable2.txt</a></li> <li><a href="${asset:context:AssetProtectionDemo.tml}">tml file</a></li> <li><a href="${asset:context:music/MusicDetails.tml}">nested tml file</a></li> + <li><a href="/assets/app//services/AppModule.class">.class file in the classpath</a></li> + <li><a href="${asset:classpath:/org/apache/tapestry5/integration/app1/fakeconfiguration.properties}">.properties file in the classpath</a></li> + <li><a href="${asset:classpath:/org/apache/tapestry5/integration/app1/fakeconfiguration.xml}">.xml file in the classpath</a></li> </ul> </html> http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/d2d92473/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.properties ---------------------------------------------------------------------- diff --git a/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.properties b/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.properties new file mode 100644 index 0000000..2568df2 --- /dev/null +++ b/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.properties @@ -0,0 +1 @@ +accessible.by.users=false \ No newline at end of file http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/d2d92473/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.xml ---------------------------------------------------------------------- diff --git a/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.xml b/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.xml new file mode 100644 index 0000000..709a5aa --- /dev/null +++ b/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.xml @@ -0,0 +1 @@ +<accesible-by-users>false</accesible-by-users> \ No newline at end of file
