[
https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12748050#action_12748050
]
Robert Zeigler commented on TAP5-815:
-------------------------------------
Ulrich, "Just allow access to Assets really required by pages or components" is
easier said than done. The assets required by a page are not known until the
first time a page is requested and the correspond page model is built. Which
means that it's difficult, at best, for an IOC module to access this
information at service instantiation time; it will be instantiated when the
first request comes in, /before/ the corresponding page is even loaded (due to
dispatcher ordering), and that's on the first request, for a single page,
before any other pages are loaded. Any sort of asset authorization service
that wanted to auto-enable required assets would need to have some sort of
"addVisibleResource" method that is called whenever an asset is
encountered/created during render. I would advocate instead a whitelist
approach where allowed files/file patterns are contributed via ioc
contributions. This would simplify things significantly.
As for assets used only by components, pages, and mixins, that's also a bit
tricky, since it's possible for someone to write an alternative asset source
that's used, eg, for file downloads (ie, not necessarily directly referenced by
a page/component/mixin).
Incidentally, a long while ago, I implemented and made available for public use
an "AssetProtectionDispatcher" that is configured essentially via chain of
command as specified by Thiago above, with slight variation (a bit more
flexible; individual contributions specify whether they explicitly allow or
deny access). The module further provides two "AssetPathAuthorizer"
implementations: one for explicit whitelisting by resource name, and the other
for whitelisting by url pattern, with the whitelist being the last in the chain
of command. The module contributes a default set of values to the whitelist
(everything used by tapestry's core components), but you'll need to add
explicit access to other resources (eg: contributing a .*\.jpg to the
RegexAuthorizer).
Maven repo:
http://maven.saiwai-solutions.com
groupid: com.saiwaisolutions
artifactid: AssetProtectionDispatcher
version: 1.0.0
Alternatively, an older version is available on Tassel:
http://saiwai-solutions.com/Tassel/app?service=external/ViewComponent&sp=SAssetProtectionDispatcher
Version 1.0.0 also adds some default configurations to handle chenillekit-based
assets.
Cheers!
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like
> domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request
> domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files
> inside the webapp root is shown. It gives you the hint at downloading any
> file you want, including anyting inside WEB-INF and assets that should be
> protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
