[
https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12776968#action_12776968
]
Ulrich Stärk commented on TAP5-815:
-----------------------------------
There should be an additional contribution to the RegexAuthorizer service:
regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + "/" + pathPattern);
Otherwise access to css,js,jpg and all the other stuff coming from the
individual application is denied by default. I know the docs say exactly so but
I think allowing some standard stuff from out of the box is OK. People might
just spend too much time figuring out why some standard things like css files,
javascripts and pictures are blocked.
Uli
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like
> domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request
> domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files
> inside the webapp root is shown. It gives you the hint at downloading any
> file you want, including anyting inside WEB-INF and assets that should be
> protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
