You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tapestry.apache.org by th...@apache.org on 2018/11/23 18:35:51 UTC
tapestry-5 git commit: TAP5-2601: Add configurable service to block
access to classpath assets
Repository: tapestry-5
Updated Branches:
refs/heads/master a59d6271c -> d2d924735
TAP5-2601: Add configurable service to block access to classpath assets
Project: http://git-wip-us.apache.org/repos/asf/tapestry-5/repo
Commit: http://git-wip-us.apache.org/repos/asf/tapestry-5/commit/d2d92473
Tree: http://git-wip-us.apache.org/repos/asf/tapestry-5/tree/d2d92473
Diff: http://git-wip-us.apache.org/repos/asf/tapestry-5/diff/d2d92473
Branch: refs/heads/master
Commit: d2d9247358fe5cb35e3fa34db906a49287730e9e
Parents: a59d627
Author: Thiago H. de Paula Figueiredo <th...@arsmachina.com.br>
Authored: Fri Nov 23 16:35:40 2018 -0200
Committer: Thiago H. de Paula Figueiredo <th...@arsmachina.com.br>
Committed: Fri Nov 23 16:35:40 2018 -0200
----------------------------------------------------------------------
.../apache/tapestry5/modules/AssetsModule.java | 30 +++++++++++++++---
.../services/ClasspathAssetProtectionRule.java | 33 ++++++++++++++++++++
.../src/test/app1/AssetProtectionDemo.tml | 3 ++
.../app1/fakeconfiguration.properties | 1 +
.../integration/app1/fakeconfiguration.xml | 1 +
5 files changed, 64 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/d2d92473/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java
----------------------------------------------------------------------
diff --git a/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java b/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java
index bc306a3..16ab378 100644
--- a/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java
+++ b/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java
@@ -12,6 +12,9 @@
package org.apache.tapestry5.modules;
+import java.util.List;
+import java.util.Map;
+
import org.apache.tapestry5.SymbolConstants;
import org.apache.tapestry5.internal.AssetConstants;
import org.apache.tapestry5.internal.InternalConstants;
@@ -20,6 +23,7 @@ import org.apache.tapestry5.internal.services.assets.*;
import org.apache.tapestry5.internal.services.messages.ClientLocalizationMessageResource;
import org.apache.tapestry5.ioc.*;
import org.apache.tapestry5.ioc.annotations.*;
+import org.apache.tapestry5.ioc.services.ChainBuilder;
import org.apache.tapestry5.ioc.services.FactoryDefaults;
import org.apache.tapestry5.ioc.services.SymbolProvider;
import org.apache.tapestry5.services.*;
@@ -27,8 +31,6 @@ import org.apache.tapestry5.services.assets.*;
import org.apache.tapestry5.services.javascript.JavaScriptStackSource;
import org.apache.tapestry5.services.messages.ComponentMessagesSource;
-import java.util.Map;
-
/**
* @since 5.3
*/
@@ -272,7 +274,8 @@ public class AssetsModule
ClasspathAssetAliasManager classpathAssetAliasManager,
ResourceStreamer streamer,
- AssetSource assetSource)
+ AssetSource assetSource,
+ ClasspathAssetProtectionRule classpathAssetProtectionRule)
{
Map<String, String> mappings = classpathAssetAliasManager.getMappings();
@@ -280,7 +283,7 @@ public class AssetsModule
{
String path = mappings.get(folder);
- configuration.add(folder, new ClasspathAssetRequestHandler(streamer, assetSource, path));
+ configuration.add(folder, new ClasspathAssetRequestHandler(streamer, assetSource, path, classpathAssetProtectionRule));
}
configuration.add(RequestConstants.CONTEXT_FOLDER,
@@ -353,4 +356,23 @@ public class AssetsModule
configuration.add("Asset", assetDispatcher, "before:ComponentEvent");
}
+
+ @Primary
+ public static ClasspathAssetProtectionRule buildClasspathAssetProtectionRule(
+ List<ClasspathAssetProtectionRule> rules, ChainBuilder chainBuilder)
+ {
+ return chainBuilder.build(ClasspathAssetProtectionRule.class, rules);
+ }
+
+ public static void contributeClasspathAssetProtectionRule(
+ OrderedConfiguration<ClasspathAssetProtectionRule> configuration)
+ {
+ ClasspathAssetProtectionRule classFileRule = (s) -> s.toLowerCase().endsWith(".class");
+ configuration.add("ClassFile", classFileRule);
+ ClasspathAssetProtectionRule propertiesFileRule = (s) -> s.toLowerCase().endsWith(".properties");
+ configuration.add("PropertiesFile", propertiesFileRule);
+ ClasspathAssetProtectionRule xmlFileRule = (s) -> s.toLowerCase().endsWith(".xml");
+ configuration.add("XMLFile", xmlFileRule);
+ }
+
}
http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/d2d92473/tapestry-core/src/main/java/org/apache/tapestry5/services/ClasspathAssetProtectionRule.java
----------------------------------------------------------------------
diff --git a/tapestry-core/src/main/java/org/apache/tapestry5/services/ClasspathAssetProtectionRule.java b/tapestry-core/src/main/java/org/apache/tapestry5/services/ClasspathAssetProtectionRule.java
new file mode 100644
index 0000000..6f8af44
--- /dev/null
+++ b/tapestry-core/src/main/java/org/apache/tapestry5/services/ClasspathAssetProtectionRule.java
@@ -0,0 +1,33 @@
+// Copyright 2018 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.services;
+
+import org.apache.tapestry5.ioc.annotations.UsesOrderedConfiguration;
+
+/**
+ * Chain-of-responsibility service which defines rules for blocking access to classpath resources
+ * based on their paths. Access is blocked if any rule says it should be blocked.
+ *
+ * @see ComponentEventRequestHandler
+ */
+@UsesOrderedConfiguration(ClasspathAssetProtectionRule.class)
+public interface ClasspathAssetProtectionRule
+{
+ /**
+ * Tells whether the access to the resource with this path should be blocked or not.
+ * If this rule doesn't concern the given path, it should return false.
+ */
+ public boolean block(String path);
+}
http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/d2d92473/tapestry-core/src/test/app1/AssetProtectionDemo.tml
----------------------------------------------------------------------
diff --git a/tapestry-core/src/test/app1/AssetProtectionDemo.tml b/tapestry-core/src/test/app1/AssetProtectionDemo.tml
index e5e99db..e21bc61 100644
--- a/tapestry-core/src/test/app1/AssetProtectionDemo.tml
+++ b/tapestry-core/src/test/app1/AssetProtectionDemo.tml
@@ -16,6 +16,9 @@
<li><a href="${asset:context:META-INF/unavailable2.txt}">unavailable2.txt</a></li>
<li><a href="${asset:context:AssetProtectionDemo.tml}">tml file</a></li>
<li><a href="${asset:context:music/MusicDetails.tml}">nested tml file</a></li>
+ <li><a href="/assets/app//services/AppModule.class">.class file in the classpath</a></li>
+ <li><a href="${asset:classpath:/org/apache/tapestry5/integration/app1/fakeconfiguration.properties}">.properties file in the classpath</a></li>
+ <li><a href="${asset:classpath:/org/apache/tapestry5/integration/app1/fakeconfiguration.xml}">.xml file in the classpath</a></li>
</ul>
</html>
http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/d2d92473/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.properties
----------------------------------------------------------------------
diff --git a/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.properties b/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.properties
new file mode 100644
index 0000000..2568df2
--- /dev/null
+++ b/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.properties
@@ -0,0 +1 @@
+accessible.by.users=false
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/d2d92473/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.xml
----------------------------------------------------------------------
diff --git a/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.xml b/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.xml
new file mode 100644
index 0000000..709a5aa
--- /dev/null
+++ b/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.xml
@@ -0,0 +1 @@
+<accesible-by-users>false</accesible-by-users>
\ No newline at end of file