Author: robertdzeigler Date: Wed Dec 9 20:28:13 2009 New Revision: 888946 URL: http://svn.apache.org/viewvc?rev=888946&view=rev Log: TAP5-815: Asset dispatcher allows any file inside the webapp visible and downloadable Return 404 instead of 403 for restricted paths; removes chenillekit contribution; adds default contribution for context assets; adds integration test.
Added: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java?rev=888946&r1=888945&r2=888946&view=diff ============================================================================== --- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java (original) +++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java Wed Dec 9 20:28:13 2009 @@ -275,4 +275,13 @@ */ public static final String BLACKBIRD = "tapestry.blackbird"; + /** + * Whether assets in the web application's context directory are available by default. + * If true (the default), tapestry will provide conributions to the appropriate services (RegexAuthorizer) to allow access + * to .js, .jpg, .jpeg, .png, .gif, and .css assets that reside within the application context. + * If false, no such contributions will be made, and access to those resources will be restricted + * without explicit user contributions. + */ + public static final String CONTEXT_ASSETS_AVAILABLE ="tapestry.context-assets-available"; + } Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java?rev=888946&r1=888945&r2=888946&view=diff ============================================================================== --- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java (original) +++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java Wed Dec 9 20:28:13 2009 @@ -77,7 +77,7 @@ if (auth.accessDenied(resourcePath)) { logger.debug("Denying access to " + resourcePath); - response.sendError(HttpServletResponse.SC_FORBIDDEN,resourcePath); + response.sendError(HttpServletResponse.SC_NOT_FOUND, resourcePath); return true; } } Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java?rev=888946&r1=888945&r2=888946&view=diff ============================================================================== --- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java (original) +++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java Wed Dec 9 20:28:13 2009 @@ -2113,6 +2113,8 @@ configuration.add(SymbolConstants.ENCODE_LOCALE_INTO_PATH, "true"); configuration.add(SymbolConstants.BLACKBIRD_ENABLED, "false"); + + configuration.add(SymbolConstants.CONTEXT_ASSETS_AVAILABLE, "true"); } @@ -2508,13 +2510,16 @@ public void contributeRegexAuthorizer(Configuration<String> regex, @Symbol("tapestry.scriptaculous.path") String scriptPath, @Symbol("tapestry.blackbird.path") String blackbirdPath, - @Symbol("tapestry.datepicker.path") String datepickerPath) - { - //allow any js, jpg, jpeg, png, or css under org/chenillekit/tapstry. The funky bit of ([^/.]+/)* is what allows + @Symbol("tapestry.datepicker.path") String datepickerPath, + @Symbol(SymbolConstants.CONTEXT_ASSETS_AVAILABLE) boolean contextAvailable, + @Symbol(SymbolConstants.APPLICATION_VERSION) String appVersion) + { + //allow any js, jpg, jpeg, png, or css under org/apache/tapestry5, along with + //resources for blackbird, scriptaculous, and the date picker. + // The funky bit of ([^/.]+/)* is what allows //multiple paths, while not allowing any of those paths to contains ./ or ../ thereby preventing paths like: - //org/chenillekit/tapestry/../../../foo.js + //org/apache/tapestry5/../../../foo.js String pathPattern = "([^/.]+/)*[^/.]+\\.((css)|(js)|(jpg)|(jpeg)|(png)|(gif))$"; - regex.add("^org/chenillekit/tapestry/" + pathPattern); regex.add("^org/apache/tapestry5/" + pathPattern); @@ -2523,6 +2528,10 @@ regex.add(scriptPath + "/" + pathPattern); //allow access to virtual assets. Critical for tapestry-combined js files. regex.add("virtual/" + pathPattern); + + if (contextAvailable) { + regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + "/" + pathPattern); + } } } Added: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml?rev=888946&view=auto ============================================================================== --- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml (added) +++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml Wed Dec 9 20:28:13 2009 @@ -0,0 +1,4 @@ +<html t:type="Border" xmlns:t="http://tapestry.apache.org/schema/tapestry_5_1_0.xsd"> + <a href="${asset:context:availablefile.txt}">Available File</a> + <a href="${asset:context:unavailablefile.txt}">Unavailable File</a> +</html> \ No newline at end of file Added: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt?rev=888946&view=auto ============================================================================== --- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt (added) +++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt Wed Dec 9 20:28:13 2009 @@ -0,0 +1 @@ +This file should be available to clients. \ No newline at end of file Added: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt?rev=888946&view=auto ============================================================================== --- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt (added) +++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt Wed Dec 9 20:28:13 2009 @@ -0,0 +1 @@ +This file should not be available to clients. \ No newline at end of file Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java?rev=888946&r1=888945&r2=888946&view=diff ============================================================================== --- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java (original) +++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java Wed Dec 9 20:28:13 2009 @@ -3225,4 +3225,17 @@ assertTextPresent("Car Model: E-Class"); } + + /** TAP5-815 */ + @Test + public void testAssetProtection() + { + start("Asset Protection Demo"); + clickAndWait("link=Unavailable File"); + assertTextPresent("404"); + + start("Asset Protection Demo"); + clickAndWait("link=Available File"); + assertTextPresent("This file should be available to clients."); + } } Added: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java?rev=888946&view=auto ============================================================================== --- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java (added) +++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java Wed Dec 9 20:28:13 2009 @@ -0,0 +1,19 @@ +// Copyright 2009 The Apache Software Foundation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package org.apache.tapestry5.integration.app1.pages; + +public class AssetProtectionDemo +{ +} Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java?rev=888946&r1=888945&r2=888946&view=diff ============================================================================== --- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java (original) +++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java Wed Dec 9 20:28:13 2009 @@ -391,7 +391,9 @@ new Item("ImageSubmitDemo", "Submit with an Image Demo", "Make sure that submit with the image parameter set triggers the 'selected' event."), - new Item("SelectZoneDemo", "Select Zone Demo", "Use a Select component to update a zone.") + new Item("SelectZoneDemo", "Select Zone Demo", "Use a Select component to update a zone."), + + new Item("AssetProtectionDemo", "Asset Protection Demo", "AssetProtectionDispatcher is properly contributed and functioning") ); Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java?rev=888946&r1=888945&r2=888946&view=diff ============================================================================== --- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java (original) +++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java Wed Dec 9 20:28:13 2009 @@ -23,6 +23,7 @@ import org.apache.tapestry5.ioc.MappedConfiguration; import org.apache.tapestry5.ioc.OrderedConfiguration; import org.apache.tapestry5.ioc.annotations.Marker; +import org.apache.tapestry5.ioc.annotations.Symbol; import org.apache.tapestry5.ioc.internal.util.CollectionFactory; import org.apache.tapestry5.services.*; import org.apache.tapestry5.test.JettyRunner; @@ -258,21 +259,9 @@ configuration.add("ReverseStringsWorker", new ReverseStringsWorker()); } - public static void contributeRegexAuthorizer(Configuration<String> configuration) { - //use this rather than a blanket regex (^.*.jpg$, etc.); want to be sure that tests pass from the default - //configuration setup, (eg: this way, I realized that the "virtual" assets folder - //needed to be opened up in the tapestry-provided contributions) rather than from some blanket configuration in the appmodule - //opening up all css, js, etc. files. - //would contribute to whitelist except that the resource path between ctxt and the rest of the path can change. - configuration.add("^ctx/[^/]+/css/app\\.css$"); - configuration.add("^ctx/[^/]+/layout/style\\.css$"); - configuration.add("^ctx/[^/]+/layout/images/bg\\.gif$"); - configuration.add("^ctx/[^/]+/layout/images/header\\.gif$"); - configuration.add("^ctx/[^/]+/layout/images/rightsmall\\.gif$"); - configuration.add("^ctx/[^/]+/layout/images/rightbig\\.gif$"); - configuration.add("^ctx/[^/]+/layout/images/bottom\\.gif$"); - configuration.add("^ctx/[^/]+/layout/images/footer\\.gif$"); - configuration.add("^ctx/[^/]+/images/tapestry_banner\\.gif$"); - configuration.add("^ctx/[^/]+/images/asf_logo_wide\\.gif$"); + public static void contributeWhitelistAuthorizer( + Configuration<String> configuration, + @Symbol(SymbolConstants.APPLICATION_VERSION) String appVersion) { + configuration.add("ctx/" + appVersion + "/availablefile.txt"); } }