I still don't get why context assets, outside of WEB-INF, should ever be restricted? Did I miss that conversation?
On Thu, Dec 10, 2009 at 7:40 AM, Robert Zeigler <[email protected]> wrote: > Good catch. I'll fix it. > > Robert > > On Dec 10, 2009, at 12/101:53 AM , Ulrich Stärk wrote: > >> +1 >> >> That's a good compromise. >> >> Code format is not consistent though; in some places opening brackets are >> not on a new line in others they are. >> >> Uli >> >> On 09.12.2009 21:28 schrieb [email protected]: >>> >>> Author: robertdzeigler >>> Date: Wed Dec 9 20:28:13 2009 >>> New Revision: 888946 >>> >>> URL: http://svn.apache.org/viewvc?rev=888946&view=rev >>> Log: >>> TAP5-815: Asset dispatcher allows any file inside the webapp visible and >>> downloadable >>> Return 404 instead of 403 for restricted paths; removes chenillekit >>> contribution; adds default contribution for context assets; adds integration >>> test. >>> >>> Added: >>> >>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml >>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt >>> >>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt >>> >>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java >>> Modified: >>> >>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java >>> >>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java >>> >>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java >>> >>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java >>> >>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java >>> >>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java >>> >>> Modified: >>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java >>> URL: >>> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java?rev=888946&r1=888945&r2=888946&view=diff >>> >>> ============================================================================== >>> --- >>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java >>> (original) >>> +++ >>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java >>> Wed Dec 9 20:28:13 2009 >>> @@ -275,4 +275,13 @@ >>> */ >>> public static final String BLACKBIRD = "tapestry.blackbird"; >>> >>> + /** >>> + * Whether assets in the web application's context directory are >>> available by default. >>> + * If true (the default), tapestry will provide conributions to the >>> appropriate services (RegexAuthorizer) to allow access >>> + * to .js, .jpg, .jpeg, .png, .gif, and .css assets that reside >>> within the application context. >>> + * If false, no such contributions will be made, and access to those >>> resources will be restricted >>> + * without explicit user contributions. >>> + */ >>> + public static final String CONTEXT_ASSETS_AVAILABLE >>> ="tapestry.context-assets-available"; >>> + >>> } >>> >>> Modified: >>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java >>> URL: >>> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java?rev=888946&r1=888945&r2=888946&view=diff >>> >>> ============================================================================== >>> --- >>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java >>> (original) >>> +++ >>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java >>> Wed Dec 9 20:28:13 2009 >>> @@ -77,7 +77,7 @@ >>> if (auth.accessDenied(resourcePath)) >>> { >>> logger.debug("Denying access to " + >>> resourcePath); >>> - >>> response.sendError(HttpServletResponse.SC_FORBIDDEN,resourcePath); >>> + >>> response.sendError(HttpServletResponse.SC_NOT_FOUND, resourcePath); >>> return true; >>> } >>> } >>> >>> Modified: >>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java >>> URL: >>> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java?rev=888946&r1=888945&r2=888946&view=diff >>> >>> ============================================================================== >>> --- >>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java >>> (original) >>> +++ >>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java >>> Wed Dec 9 20:28:13 2009 >>> @@ -2113,6 +2113,8 @@ >>> configuration.add(SymbolConstants.ENCODE_LOCALE_INTO_PATH, >>> "true"); >>> >>> configuration.add(SymbolConstants.BLACKBIRD_ENABLED, "false"); >>> + >>> + configuration.add(SymbolConstants.CONTEXT_ASSETS_AVAILABLE, >>> "true"); >>> } >>> >>> >>> @@ -2508,13 +2510,16 @@ >>> public void contributeRegexAuthorizer(Configuration<String> regex, >>> @Symbol("tapestry.scriptaculous.path") String scriptPath, >>> @Symbol("tapestry.blackbird.path") String blackbirdPath, >>> - �...@symbol("tapestry.datepicker.path") String >>> datepickerPath) >>> - { >>> - //allow any js, jpg, jpeg, png, or css under >>> org/chenillekit/tapstry. The funky bit of ([^/.]+/)* is what allows >>> + �...@symbol("tapestry.datepicker.path") String >>> datepickerPath, >>> + �...@symbol(SymbolConstants.CONTEXT_ASSETS_AVAILABLE) >>> boolean contextAvailable, >>> + �...@symbol(SymbolConstants.APPLICATION_VERSION) String >>> appVersion) >>> + { >>> + //allow any js, jpg, jpeg, png, or css under >>> org/apache/tapestry5, along with >>> + //resources for blackbird, scriptaculous, and the date picker. >>> + // The funky bit of ([^/.]+/)* is what allows >>> //multiple paths, while not allowing any of those paths to >>> contains ./ or ../ thereby preventing paths like: >>> - //org/chenillekit/tapestry/../../../foo.js >>> + //org/apache/tapestry5/../../../foo.js >>> String pathPattern = >>> "([^/.]+/)*[^/.]+\\.((css)|(js)|(jpg)|(jpeg)|(png)|(gif))$"; >>> - regex.add("^org/chenillekit/tapestry/" + pathPattern); >>> >>> regex.add("^org/apache/tapestry5/" + pathPattern); >>> >>> @@ -2523,6 +2528,10 @@ >>> regex.add(scriptPath + "/" + pathPattern); >>> //allow access to virtual assets. Critical for tapestry-combined >>> js files. >>> regex.add("virtual/" + pathPattern); >>> + >>> + if (contextAvailable) { >>> + regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + "/" >>> + pathPattern); >>> + } >>> } >>> >>> } >>> >>> Added: >>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml >>> URL: >>> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml?rev=888946&view=auto >>> >>> ============================================================================== >>> --- >>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml >>> (added) >>> +++ >>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml >>> Wed Dec 9 20:28:13 2009 >>> @@ -0,0 +1,4 @@ >>> +<html t:type="Border" >>> xmlns:t="http://tapestry.apache.org/schema/tapestry_5_1_0.xsd";> >>> +<a href="${asset:context:availablefile.txt}">Available File</a> >>> +<a href="${asset:context:unavailablefile.txt}">Unavailable File</a> >>> +</html> >>> \ No newline at end of file >>> >>> Added: >>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt >>> URL: >>> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt?rev=888946&view=auto >>> >>> ============================================================================== >>> --- >>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt >>> (added) >>> +++ >>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt Wed >>> Dec 9 20:28:13 2009 >>> @@ -0,0 +1 @@ >>> +This file should be available to clients. >>> \ No newline at end of file >>> >>> Added: >>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt >>> URL: >>> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt?rev=888946&view=auto >>> >>> ============================================================================== >>> --- >>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt >>> (added) >>> +++ >>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt Wed >>> Dec 9 20:28:13 2009 >>> @@ -0,0 +1 @@ >>> +This file should not be available to clients. >>> \ No newline at end of file >>> >>> Modified: >>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java >>> URL: >>> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java?rev=888946&r1=888945&r2=888946&view=diff >>> >>> ============================================================================== >>> --- >>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java >>> (original) >>> +++ >>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java >>> Wed Dec 9 20:28:13 2009 >>> @@ -3225,4 +3225,17 @@ >>> >>> assertTextPresent("Car Model: E-Class"); >>> } >>> + >>> + /** TAP5-815 */ >>> + �...@test >>> + public void testAssetProtection() >>> + { >>> + start("Asset Protection Demo"); >>> + clickAndWait("link=Unavailable File"); >>> + assertTextPresent("404"); >>> + >>> + start("Asset Protection Demo"); >>> + clickAndWait("link=Available File"); >>> + assertTextPresent("This file should be available to clients."); >>> + } >>> } >>> >>> Added: >>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java >>> URL: >>> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java?rev=888946&view=auto >>> >>> ============================================================================== >>> --- >>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java >>> (added) >>> +++ >>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java >>> Wed Dec 9 20:28:13 2009 >>> @@ -0,0 +1,19 @@ >>> +// Copyright 2009 The Apache Software Foundation >>> +// >>> +// Licensed under the Apache License, Version 2.0 (the "License"); >>> +// you may not use this file except in compliance with the License. >>> +// You may obtain a copy of the License at >>> +// >>> +// http://www.apache.org/licenses/LICENSE-2.0 >>> +// >>> +// Unless required by applicable law or agreed to in writing, software >>> +// distributed under the License is distributed on an "AS IS" BASIS, >>> +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or >>> implied. >>> +// See the License for the specific language governing permissions and >>> +// limitations under the License. >>> + >>> +package org.apache.tapestry5.integration.app1.pages; >>> + >>> +public class AssetProtectionDemo >>> +{ >>> +} >>> >>> Modified: >>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java >>> URL: >>> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java?rev=888946&r1=888945&r2=888946&view=diff >>> >>> ============================================================================== >>> --- >>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java >>> (original) >>> +++ >>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java >>> Wed Dec 9 20:28:13 2009 >>> @@ -391,7 +391,9 @@ >>> >>> new Item("ImageSubmitDemo", "Submit with an Image Demo", >>> "Make sure that submit with the image parameter set triggers the 'selected' >>> event."), >>> >>> - new Item("SelectZoneDemo", "Select Zone Demo", "Use a Select >>> component to update a zone.") >>> + new Item("SelectZoneDemo", "Select Zone Demo", "Use a Select >>> component to update a zone."), >>> + >>> + new Item("AssetProtectionDemo", "Asset Protection Demo", >>> "AssetProtectionDispatcher is properly contributed and functioning") >>> >>> ); >>> >>> >>> Modified: >>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java >>> URL: >>> http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java?rev=888946&r1=888945&r2=888946&view=diff >>> >>> ============================================================================== >>> --- >>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java >>> (original) >>> +++ >>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java >>> Wed Dec 9 20:28:13 2009 >>> @@ -23,6 +23,7 @@ >>> import org.apache.tapestry5.ioc.MappedConfiguration; >>> import org.apache.tapestry5.ioc.OrderedConfiguration; >>> import org.apache.tapestry5.ioc.annotations.Marker; >>> +import org.apache.tapestry5.ioc.annotations.Symbol; >>> import org.apache.tapestry5.ioc.internal.util.CollectionFactory; >>> import org.apache.tapestry5.services.*; >>> import org.apache.tapestry5.test.JettyRunner; >>> @@ -258,21 +259,9 @@ >>> configuration.add("ReverseStringsWorker", new >>> ReverseStringsWorker()); >>> } >>> >>> - public static void contributeRegexAuthorizer(Configuration<String> >>> configuration) { >>> - //use this rather than a blanket regex (^.*.jpg$, etc.); want to >>> be sure that tests pass from the default >>> - //configuration setup, (eg: this way, I realized that the >>> "virtual" assets folder >>> - //needed to be opened up in the tapestry-provided contributions) >>> rather than from some blanket configuration in the appmodule >>> - //opening up all css, js, etc. files. >>> - //would contribute to whitelist except that the resource path >>> between ctxt and the rest of the path can change. >>> - configuration.add("^ctx/[^/]+/css/app\\.css$"); >>> - configuration.add("^ctx/[^/]+/layout/style\\.css$"); >>> - configuration.add("^ctx/[^/]+/layout/images/bg\\.gif$"); >>> - configuration.add("^ctx/[^/]+/layout/images/header\\.gif$"); >>> - configuration.add("^ctx/[^/]+/layout/images/rightsmall\\.gif$"); >>> - configuration.add("^ctx/[^/]+/layout/images/rightbig\\.gif$"); >>> - configuration.add("^ctx/[^/]+/layout/images/bottom\\.gif$"); >>> - configuration.add("^ctx/[^/]+/layout/images/footer\\.gif$"); >>> - configuration.add("^ctx/[^/]+/images/tapestry_banner\\.gif$"); >>> - configuration.add("^ctx/[^/]+/images/asf_logo_wide\\.gif$"); >>> + public static void contributeWhitelistAuthorizer( >>> + Configuration<String> configuration, >>> + �...@symbol(SymbolConstants.APPLICATION_VERSION) String >>> appVersion) { >>> + configuration.add("ctx/" + appVersion + "/availablefile.txt"); >>> } >>> } >>> >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > -- Howard M. Lewis Ship Creator of Apache Tapestry The source for Tapestry training, mentoring and support. Contact me to learn how I can get you up and productive in Tapestry fast! (971) 678-5210 http://howardlewisship.com --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
