Author: robertdzeigler
Date: Thu Dec 10 23:01:25 2009
New Revision: 889457
URL: http://svn.apache.org/viewvc?rev=889457&view=rev
Log:
TAP5-815: Asset dispatcher allows any file inside the webapp visible and
downloadable
Backport changes from trunk to 5.1: 404 returned instead or 403 for restricted
assets; add a new integration test; fix AssetProtectionDispatcher unit test;
open up sensible context assets by default.
Added:
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/AssetProtectionDemo.tml
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/availablefile.txt
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/unavailablefile.txt
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java
Modified:
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/urlrewriter/SimpleRequestWrapperTest.java
Modified:
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java?rev=889457&r1=889456&r2=889457&view=diff
==============================================================================
---
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java
(original)
+++
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java
Thu Dec 10 23:01:25 2009
@@ -180,4 +180,13 @@
*/
public static final String COMBINE_SCRIPTS = "tapestry.combine-scripts";
+ /**
+ * Whether assets in the web application's context directory are
available by default.
+ * If true (the default), tapestry will provide conributions to the
appropriate services (RegexAuthorizer) to allow access
+ * to .js, .jpg, .jpeg, .png, .gif, and .css assets that reside within
the application context.
+ * If false, no such contributions will be made, and access to those
resources will be restricted
+ * without explicit user contributions.
+ */
+ public static final String CONTEXT_ASSETS_AVAILABLE
="tapestry.context-assets-available";
+
}
Modified:
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java?rev=889457&r1=889456&r2=889457&view=diff
==============================================================================
---
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
(original)
+++
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
Thu Dec 10 23:01:25 2009
@@ -77,7 +77,7 @@
if (auth.accessDenied(resourcePath))
{
logger.debug("Denying access to " + resourcePath);
-
response.sendError(HttpServletResponse.SC_FORBIDDEN,resourcePath);
+
response.sendError(HttpServletResponse.SC_NOT_FOUND,resourcePath);
return true;
}
}
Modified:
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java?rev=889457&r1=889456&r2=889457&view=diff
==============================================================================
---
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
(original)
+++
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
Thu Dec 10 23:01:25 2009
@@ -2087,6 +2087,8 @@
configuration.add(SymbolConstants.COMBINE_SCRIPTS,
matchProductionMode);
configuration.add(SymbolConstants.ENCODE_LOCALE_INTO_PATH, "true");
+
+ configuration.add(SymbolConstants.CONTEXT_ASSETS_AVAILABLE, "true");
}
@@ -2436,13 +2438,15 @@
public void contributeRegexAuthorizer(Configuration<String> regex,
@Symbol("tapestry.scriptaculous.path") String scriptPath,
@Symbol("tapestry.blackbird.path") String blackbirdPath,
- @Symbol("tapestry.datepicker.path") String datepickerPath)
+ @Symbol("tapestry.datepicker.path") String datepickerPath,
+ @Symbol(SymbolConstants.CONTEXT_ASSETS_AVAILABLE) boolean
contextAvailable,
+ @Symbol(SymbolConstants.APPLICATION_VERSION) String appVersion)
+
{
- //allow any js, jpg, jpeg, png, or css under org/chenillekit/tapstry.
The funky bit of ([^/.]+/)* is what allows
+ //allow any js, jpg, jpeg, png, or css under org/apache/tapstry5. The
funky bit of ([^/.]+/)* is what allows
//multiple paths, while not allowing any of those paths to contains ./
or ../ thereby preventing paths like:
- //org/chenillekit/tapestry/../../../foo.js
+ //org/apache/tapestry5/../../../foo.js
String pathPattern =
"([^/.]+/)*[^/.]+\\.((css)|(js)|(jpg)|(jpeg)|(png)|(gif))$";
- regex.add("^org/chenillekit/tapestry/" + pathPattern);
regex.add("^org/apache/tapestry5/" + pathPattern);
@@ -2451,6 +2455,12 @@
regex.add(scriptPath + "/" + pathPattern);
//allow access to virtual assets. Critical for tapestry-combined js
files.
regex.add("virtual/" + pathPattern);
+
+ if (contextAvailable)
+ {
+ regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + "/" +
pathPattern);
+ }
+
}
}
Added:
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/AssetProtectionDemo.tml
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/AssetProtectionDemo.tml?rev=889457&view=auto
==============================================================================
---
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/AssetProtectionDemo.tml
(added)
+++
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/AssetProtectionDemo.tml
Thu Dec 10 23:01:25 2009
@@ -0,0 +1,4 @@
+<html t:type="Border"
xmlns:t="http://tapestry.apache.org/schema/tapestry_5_1_0.xsd";>
+ <a href="${asset:context:availablefile.txt}">Available File</a>
+ <a href="${asset:context:unavailablefile.txt}">Unavailable File</a>
+</html>
\ No newline at end of file
Added:
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/availablefile.txt
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/availablefile.txt?rev=889457&view=auto
==============================================================================
---
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/availablefile.txt
(added)
+++
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/availablefile.txt
Thu Dec 10 23:01:25 2009
@@ -0,0 +1 @@
+This file should be available to clients.
\ No newline at end of file
Added:
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/unavailablefile.txt
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/unavailablefile.txt?rev=889457&view=auto
==============================================================================
---
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/unavailablefile.txt
(added)
+++
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/unavailablefile.txt
Thu Dec 10 23:01:25 2009
@@ -0,0 +1 @@
+This file should not be available to clients.
\ No newline at end of file
Modified:
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java?rev=889457&r1=889456&r2=889457&view=diff
==============================================================================
---
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
(original)
+++
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
Thu Dec 10 23:01:25 2009
@@ -3030,4 +3030,17 @@
assertTextPresent("Car Model: E-Class");
}
+ /** TAP5-815 */
+ @Test
+ public void testAssetProtection()
+ {
+ start("Asset Protection Demo");
+ clickAndWait("link=Unavailable File");
+ assertTextPresent("404");
+
+ start("Asset Protection Demo");
+ clickAndWait("link=Available File");
+ assertTextPresent("This file should be available to clients.");
+ }
+
}
\ No newline at end of file
Added:
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java?rev=889457&view=auto
==============================================================================
---
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java
(added)
+++
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java
Thu Dec 10 23:01:25 2009
@@ -0,0 +1,19 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.integration.app1.pages;
+
+public class AssetProtectionDemo
+{
+}
Modified:
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java?rev=889457&r1=889456&r2=889457&view=diff
==============================================================================
---
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java
(original)
+++
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java
Thu Dec 10 23:01:25 2009
@@ -354,8 +354,9 @@
new Item("ImageSubmitDemo", "Submit with an Image Demo", "Make
sure that submit with the image parameter set triggers the 'selected' event."),
- new Item("SelectZoneDemo", "Select Zone Demo", "Use a Select
component to update a zone.")
+ new Item("SelectZoneDemo", "Select Zone Demo", "Use a Select
component to update a zone."),
+ new Item("AssetProtectionDemo", "Asset Protection Demo",
"AssetProtectionDispatcher is properly contributed and functioning")
);
Modified:
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java?rev=889457&r1=889456&r2=889457&view=diff
==============================================================================
---
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
(original)
+++
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
Thu Dec 10 23:01:25 2009
@@ -19,10 +19,12 @@
import org.apache.tapestry5.integration.app1.data.ToDoItem;
import org.apache.tapestry5.integration.app1.data.Track;
import org.apache.tapestry5.internal.services.GenericValueEncoderFactory;
+import org.apache.tapestry5.internal.services.RequestConstants;
import org.apache.tapestry5.ioc.Configuration;
import org.apache.tapestry5.ioc.MappedConfiguration;
import org.apache.tapestry5.ioc.OrderedConfiguration;
import org.apache.tapestry5.ioc.annotations.Marker;
+import org.apache.tapestry5.ioc.annotations.Symbol;
import org.apache.tapestry5.ioc.internal.util.CollectionFactory;
import org.apache.tapestry5.services.*;
import org.apache.tapestry5.test.JettyRunner;
@@ -256,21 +258,10 @@
configuration.add("ReverseStringsWorker", new ReverseStringsWorker());
}
- public static void contributeRegexAuthorizer(Configuration<String>
configuration) {
- //use this rather than a blanket regex (^.*.jpg$, etc.); want to be
sure that tests pass from the default
- //configuration setup, (eg: this way, I realized that the "virtual"
assets folder
- //needed to be opened up in the tapestry-provided contributions)
rather than from some blanket configuration in the appmodule
- //opening up all css, js, etc. files.
- //would contribute to whitelist except that the resource path between
ctxt and the rest of the path can change.
- configuration.add("^ctx/[^/]+/css/app\\.css$");
- configuration.add("^ctx/[^/]+/layout/style\\.css$");
- configuration.add("^ctx/[^/]+/layout/images/bg\\.gif$");
- configuration.add("^ctx/[^/]+/layout/images/header\\.gif$");
- configuration.add("^ctx/[^/]+/layout/images/rightsmall\\.gif$");
- configuration.add("^ctx/[^/]+/layout/images/rightbig\\.gif$");
- configuration.add("^ctx/[^/]+/layout/images/bottom\\.gif$");
- configuration.add("^ctx/[^/]+/layout/images/footer\\.gif$");
- configuration.add("^ctx/[^/]+/images/tapestry_banner\\.gif$");
- configuration.add("^ctx/[^/]+/images/asf_logo_wide\\.gif$");
+ public static void contributeWhitelistAuthorizer(
+ Configuration<String> configuration,
+ @Symbol(SymbolConstants.APPLICATION_VERSION) String appVersion)
+ {
+ configuration.add(RequestConstants.CONTEXT_FOLDER + appVersion +
"/availablefile.txt");
}
}
Modified:
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java?rev=889457&r1=889456&r2=889457&view=diff
==============================================================================
---
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java
(original)
+++
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java
Thu Dec 10 23:01:25 2009
@@ -75,7 +75,7 @@
Response response = createMock(Response.class);
expect(request.getPath()).andReturn(RequestConstants.ASSET_PATH_PREFIX
+ "/cayenne.xml");
expect(request.getPath()).andReturn(RequestConstants.ASSET_PATH_PREFIX
+ "/org/apache/tapestry/default.css");
- response.sendError(HttpServletResponse.SC_FORBIDDEN, "/cayenne.xml");
+ response.sendError(HttpServletResponse.SC_NOT_FOUND, "/cayenne.xml");
ClasspathAssetAliasManager manager =
createMock(ClasspathAssetAliasManager.class);
expect(manager.toResourcePath(RequestConstants.ASSET_PATH_PREFIX +
"/cayenne.xml")).andReturn("/cayenne.xml");
Modified:
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/urlrewriter/SimpleRequestWrapperTest.java
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/urlrewriter/SimpleRequestWrapperTest.java?rev=889457&r1=889456&r2=889457&view=diff
==============================================================================
---
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/urlrewriter/SimpleRequestWrapperTest.java
(original)
+++
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/urlrewriter/SimpleRequestWrapperTest.java
Thu Dec 10 23:01:25 2009
@@ -165,10 +165,12 @@
boolean exceptionRaised = false;
- try {
+ try
+ {
new SimpleRequestWrapper(request, serverName, path);
}
- catch (RuntimeException e) {
+ catch (RuntimeException e)
+ {
exceptionRaised = true;
}
@@ -182,10 +184,12 @@
boolean exceptionRaised = false;
- try {
+ try
+ {
new SimpleRequestWrapper(request, path);
}
- catch (RuntimeException e) {
+ catch (RuntimeException e)
+ {
exceptionRaised = true;
}
