Author: robertdzeigler Date: Fri Dec 11 22:39:59 2009 New Revision: 889842 URL: http://svn.apache.org/viewvc?rev=889842&view=rev Log: TAP5-815: Asset dispatcher allows any file inside the webapp visible and downloadable. Improve the regex used for opening the context to allow for all context content as long as it's outside of the WEB-INF. Improve the integration test to test for a greater variety of situations.
Added: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/WEB-INF/unavailable.css tapestry/tapestry5/trunk/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/pages/availablefile2.txt - copied unchanged from r889514, tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt tapestry/tapestry5/trunk/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/pages/unavailablefile.txt - copied unchanged from r889514, tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt Removed: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java?rev=889842&r1=889841&r2=889842&view=diff ============================================================================== --- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java (original) +++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java Fri Dec 11 22:39:59 2009 @@ -2931,7 +2931,12 @@ if (contextAvailable) { - regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + "/" + pathPattern); + //we allow everything underneath the context folder, as long as it's not + //at or below WEB-INF. + //necessary since context assets are now handled via AssetDispatcher so that + //they can be compressed, combined, etc. + String contextPathPattern = "/(?!WEB-INF)([^/.]+/)*[^/]+$"; + regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + contextPathPattern); } } Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml?rev=889842&r1=889841&r2=889842&view=diff ============================================================================== --- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml (original) +++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml Fri Dec 11 22:39:59 2009 @@ -1,4 +1,8 @@ <html t:type="Border" xmlns:t="http://tapestry.apache.org/schema/tapestry_5_1_0.xsd"> <a href="${asset:context:availablefile.txt}">Available File</a> - <a href="${asset:context:unavailablefile.txt}">Unavailable File</a> -</html> \ No newline at end of file + <a href="${asset:context:WEB-INF/unavailable.css}">Unavailable CSS</a> + <a href="${asset:context:WEB-INF}">WEB-INF</a> + <a href="${asset:context:WEB-INF/}">WEB-INF/</a> + <a href="${asset:classpath:/org/apache/tapestry5/integration/app1/pages/unavailablefile.txt}">Unavailable File</a> + <a href="${asset:classpath:/org/apache/tapestry5/integration/app1/pages/availablefile2.txt}">Available File2</a> +</html> Added: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/WEB-INF/unavailable.css URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/WEB-INF/unavailable.css?rev=889842&view=auto ============================================================================== --- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/WEB-INF/unavailable.css (added) +++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/WEB-INF/unavailable.css Fri Dec 11 22:39:59 2009 @@ -0,0 +1,3 @@ +/*the originally contributed regex to open up context assets resulted in + * .css, .jpeg, etc. files in WEB-INF being accessible. This css file is just here for + * integration testing purposes to make sure that's not the case now.*/ \ No newline at end of file Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java?rev=889842&r1=889841&r2=889842&view=diff ============================================================================== --- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java (original) +++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java Fri Dec 11 22:39:59 2009 @@ -3295,12 +3295,29 @@ @Test public void testAssetProtection() { + //context resourcs should be available by default. + start("Asset Protection Demo"); + clickAndWait("link=Available File"); + assertTextPresent("This file should be available to clients."); + + start("Asset Protection Demo"); + clickAndWait("link=Unavailable CSS"); + assertTextPresent("HTTP ERROR: 404"); + + start("Asset Protection Demo"); + clickAndWait("link=WEB-INF"); + assertTextPresent("HTTP ERROR: 404"); + + start("Asset Protection Demo"); + clickAndWait("link=WEB-INF/"); + assertTextPresent("HTTP ERROR: 404"); + start("Asset Protection Demo"); clickAndWait("link=Unavailable File"); - assertTextPresent("404"); + assertTextPresent("HTTP ERROR: 404"); start("Asset Protection Demo"); - clickAndWait("link=Available File"); + clickAndWait("link=Available File2"); assertTextPresent("This file should be available to clients."); } } Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java?rev=889842&r1=889841&r2=889842&view=diff ============================================================================== --- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java (original) +++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java Fri Dec 11 22:39:59 2009 @@ -259,10 +259,8 @@ configuration.add("ReverseStringsWorker", new ReverseStringsWorker()); } - public static void contributeWhitelistAuthorizer( - Configuration<String> configuration, - @Symbol(SymbolConstants.APPLICATION_VERSION) String appVersion) + public static void contributeWhitelistAuthorizer(Configuration<String> configuration) { - configuration.add("ctx/" + appVersion + "/availablefile.txt"); + configuration.add("org/apache/tapestry5/integration/app1/pages/availablefile2.txt"); } }