test...

Ulrich Stärk Wed, 09 Dec 2009 23:53:56 -0800

+1

That's a good compromise.

Code format is not consistent though; in some places opening brackets are not on a new line inothers they are.


Uli

On 09.12.2009 21:28 schrieb [email protected]:

Author: robertdzeigler
Date: Wed Dec  9 20:28:13 2009
New Revision: 888946

URL: http://svn.apache.org/viewvc?rev=888946&view=rev
Log:
TAP5-815: Asset dispatcher allows any file inside the webapp visible and 
downloadable
Return 404 instead of 403 for restricted paths; removes chenillekit 
contribution; adds default contribution for context assets; adds integration 
test.

Added:
     
tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml
     tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt
     tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt
     
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java
Modified:
     
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java
     
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
     
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
     
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
     
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java
     
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java

Modified: 
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java
URL: 
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java?rev=888946&r1=888945&r2=888946&view=diff
==============================================================================
--- 
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java
 (original)
+++ 
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java
 Wed Dec  9 20:28:13 2009
@@ -275,4 +275,13 @@
       */
      public static final String BLACKBIRD  = "tapestry.blackbird";

+    /**
+     * Whether assets in the web application's context directory are available 
by default.
+     * If true (the default), tapestry will provide conributions to the 
appropriate services (RegexAuthorizer) to allow access
+     * to .js, .jpg, .jpeg, .png, .gif, and .css assets that reside within the 
application context.
+     * If false, no such contributions will be made, and access to those 
resources will be restricted
+     * without explicit user contributions.
+     */
+    public static final String CONTEXT_ASSETS_AVAILABLE 
="tapestry.context-assets-available";
+
  }

Modified: 
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
URL: 
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java?rev=888946&r1=888945&r2=888946&view=diff
==============================================================================
--- 
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
 (original)
+++ 
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
 Wed Dec  9 20:28:13 2009
@@ -77,7 +77,7 @@
                      if (auth.accessDenied(resourcePath))
                      {
                          logger.debug("Denying access to " + resourcePath);
-                        
response.sendError(HttpServletResponse.SC_FORBIDDEN,resourcePath);
+                        response.sendError(HttpServletResponse.SC_NOT_FOUND, 
resourcePath);
                          return true;
                      }
                  }

Modified: 
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
URL: 
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java?rev=888946&r1=888945&r2=888946&view=diff
==============================================================================
--- 
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
 (original)
+++ 
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
 Wed Dec  9 20:28:13 2009
@@ -2113,6 +2113,8 @@
          configuration.add(SymbolConstants.ENCODE_LOCALE_INTO_PATH, "true");

          configuration.add(SymbolConstants.BLACKBIRD_ENABLED, "false");
+
+        configuration.add(SymbolConstants.CONTEXT_ASSETS_AVAILABLE, "true");
      }


@@ -2508,13 +2510,16 @@
      public void contributeRegexAuthorizer(Configuration<String>  regex,
                  @Symbol("tapestry.scriptaculous.path") String scriptPath,
                  @Symbol("tapestry.blackbird.path") String blackbirdPath,
-                @Symbol("tapestry.datepicker.path") String datepickerPath)
-    {
-        //allow any js, jpg, jpeg, png, or css under org/chenillekit/tapstry. 
The funky bit of ([^/.]+/)* is what allows
+                @Symbol("tapestry.datepicker.path") String datepickerPath,
+                @Symbol(SymbolConstants.CONTEXT_ASSETS_AVAILABLE) boolean 
contextAvailable,
+                @Symbol(SymbolConstants.APPLICATION_VERSION) String appVersion)
+    {
+        //allow any js, jpg, jpeg, png, or css under org/apache/tapestry5, 
along with
+        //resources for blackbird, scriptaculous, and the date picker.
+        // The funky bit of ([^/.]+/)* is what allows
          //multiple paths, while not allowing any of those paths to contains 
./ or ../ thereby preventing paths like:
-        //org/chenillekit/tapestry/../../../foo.js
+        //org/apache/tapestry5/../../../foo.js
          String pathPattern = 
"([^/.]+/)*[^/.]+\\.((css)|(js)|(jpg)|(jpeg)|(png)|(gif))$";
-        regex.add("^org/chenillekit/tapestry/" + pathPattern);

          regex.add("^org/apache/tapestry5/" + pathPattern);

@@ -2523,6 +2528,10 @@
          regex.add(scriptPath + "/" + pathPattern);
          //allow access to virtual assets. Critical for tapestry-combined js 
files.
          regex.add("virtual/" + pathPattern);
+
+        if (contextAvailable) {
+            regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + "/" + 
pathPattern);
+        }
      }

  }

Added: 
tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml
URL: 
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml?rev=888946&view=auto
==============================================================================
--- 
tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml 
(added)
+++ 
tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml 
Wed Dec  9 20:28:13 2009
@@ -0,0 +1,4 @@
+<html t:type="Border" 
xmlns:t="http://tapestry.apache.org/schema/tapestry_5_1_0.xsd";>
+<a href="${asset:context:availablefile.txt}">Available File</a>
+<a href="${asset:context:unavailablefile.txt}">Unavailable File</a>
+</html>
\ No newline at end of file

Added: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt
URL: 
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt?rev=888946&view=auto
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt 
(added)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt Wed 
Dec  9 20:28:13 2009
@@ -0,0 +1 @@
+This file should be available to clients.
\ No newline at end of file

Added: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt
URL: 
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt?rev=888946&view=auto
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt 
(added)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt 
Wed Dec  9 20:28:13 2009
@@ -0,0 +1 @@
+This file should not be available to clients.
\ No newline at end of file

Modified: 
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
URL: 
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java?rev=888946&r1=888945&r2=888946&view=diff
==============================================================================
--- 
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
 (original)
+++ 
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
 Wed Dec  9 20:28:13 2009
@@ -3225,4 +3225,17 @@

          assertTextPresent("Car Model: E-Class");
      }
+
+    /** TAP5-815 */
+    @Test
+    public void testAssetProtection()
+    {
+        start("Asset Protection Demo");
+        clickAndWait("link=Unavailable File");
+        assertTextPresent("404");
+
+        start("Asset Protection Demo");
+        clickAndWait("link=Available File");
+        assertTextPresent("This file should be available to clients.");
+    }
  }

Added: 
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java
URL: 
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java?rev=888946&view=auto
==============================================================================
--- 
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java
 (added)
+++ 
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java
 Wed Dec  9 20:28:13 2009
@@ -0,0 +1,19 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.integration.app1.pages;
+
+public class AssetProtectionDemo
+{
+}

Modified: 
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java
URL: 
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java?rev=888946&r1=888945&r2=888946&view=diff
==============================================================================
--- 
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java
 (original)
+++ 
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java
 Wed Dec  9 20:28:13 2009
@@ -391,7 +391,9 @@

              new Item("ImageSubmitDemo", "Submit with an Image Demo", "Make sure 
that submit with the image parameter set triggers the 'selected' event."),

-            new Item("SelectZoneDemo", "Select Zone Demo", "Use a Select component 
to update a zone.")
+            new Item("SelectZoneDemo", "Select Zone Demo", "Use a Select component 
to update a zone."),
+
+            new Item("AssetProtectionDemo", "Asset Protection Demo", 
"AssetProtectionDispatcher is properly contributed and functioning")

      );


Modified: 
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
URL: 
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java?rev=888946&r1=888945&r2=888946&view=diff
==============================================================================
--- 
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
 (original)
+++ 
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
 Wed Dec  9 20:28:13 2009
@@ -23,6 +23,7 @@
  import org.apache.tapestry5.ioc.MappedConfiguration;
  import org.apache.tapestry5.ioc.OrderedConfiguration;
  import org.apache.tapestry5.ioc.annotations.Marker;
+import org.apache.tapestry5.ioc.annotations.Symbol;
  import org.apache.tapestry5.ioc.internal.util.CollectionFactory;
  import org.apache.tapestry5.services.*;
  import org.apache.tapestry5.test.JettyRunner;
@@ -258,21 +259,9 @@
          configuration.add("ReverseStringsWorker", new ReverseStringsWorker());
      }

-    public static void contributeRegexAuthorizer(Configuration<String>  
configuration) {
-        //use this rather than a blanket regex (^.*.jpg$, etc.); want to be 
sure that tests pass from the default
-        //configuration setup, (eg: this way, I realized that the "virtual" 
assets folder
-        //needed to be opened up in the tapestry-provided contributions) 
rather than from some blanket configuration in the appmodule
-        //opening up all css, js, etc. files.
-        //would contribute to whitelist except that the resource path between 
ctxt and the rest of the path can change.
-        configuration.add("^ctx/[^/]+/css/app\\.css$");
-        configuration.add("^ctx/[^/]+/layout/style\\.css$");
-        configuration.add("^ctx/[^/]+/layout/images/bg\\.gif$");
-        configuration.add("^ctx/[^/]+/layout/images/header\\.gif$");
-        configuration.add("^ctx/[^/]+/layout/images/rightsmall\\.gif$");
-        configuration.add("^ctx/[^/]+/layout/images/rightbig\\.gif$");
-        configuration.add("^ctx/[^/]+/layout/images/bottom\\.gif$");
-        configuration.add("^ctx/[^/]+/layout/images/footer\\.gif$");
-        configuration.add("^ctx/[^/]+/images/tapestry_banner\\.gif$");
-        configuration.add("^ctx/[^/]+/images/asf_logo_wide\\.gif$");
+    public static void contributeWhitelistAuthorizer(
+            Configuration<String>  configuration,
+            @Symbol(SymbolConstants.APPLICATION_VERSION) String appVersion) {
+        configuration.add("ctx/" + appVersion + "/availablefile.txt");
      }
  }


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: svn commit: r888946 - in /tapestry/tapestry5/trunk/tapestry-core/src: main/java/org/apache/tapestry5/ main/java/org/apache/tapestry5/internal/services/ main/java/org/apache/tapestry5/services/ test/app1/ test/java/org/apache/tapestry5/integration/ test...

Reply via email to