You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tapestry.apache.org by th...@apache.org on 2018/11/23 18:35:51 UTC
tapestry-5 git commit: TAP5-2601: Add configurable service to block access to classpath assets

Repository: tapestry-5
Updated Branches:
  refs/heads/master a59d6271c -> d2d924735


TAP5-2601: Add configurable service to block access to classpath assets

Project: http://git-wip-us.apache.org/repos/asf/tapestry-5/repo
Commit: http://git-wip-us.apache.org/repos/asf/tapestry-5/commit/d2d92473
Tree: http://git-wip-us.apache.org/repos/asf/tapestry-5/tree/d2d92473
Diff: http://git-wip-us.apache.org/repos/asf/tapestry-5/diff/d2d92473

Branch: refs/heads/master
Commit: d2d9247358fe5cb35e3fa34db906a49287730e9e
Parents: a59d627
Author: Thiago H. de Paula Figueiredo <th...@arsmachina.com.br>
Authored: Fri Nov 23 16:35:40 2018 -0200
Committer: Thiago H. de Paula Figueiredo <th...@arsmachina.com.br>
Committed: Fri Nov 23 16:35:40 2018 -0200

----------------------------------------------------------------------
 .../apache/tapestry5/modules/AssetsModule.java  | 30 +++++++++++++++---
 .../services/ClasspathAssetProtectionRule.java  | 33 ++++++++++++++++++++
 .../src/test/app1/AssetProtectionDemo.tml       |  3 ++
 .../app1/fakeconfiguration.properties           |  1 +
 .../integration/app1/fakeconfiguration.xml      |  1 +
 5 files changed, 64 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/d2d92473/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java
----------------------------------------------------------------------
diff --git a/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java b/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java
index bc306a3..16ab378 100644
--- a/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java
+++ b/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java
@@ -12,6 +12,9 @@
 
 package org.apache.tapestry5.modules;
 
+import java.util.List;
+import java.util.Map;
+
 import org.apache.tapestry5.SymbolConstants;
 import org.apache.tapestry5.internal.AssetConstants;
 import org.apache.tapestry5.internal.InternalConstants;
@@ -20,6 +23,7 @@ import org.apache.tapestry5.internal.services.assets.*;
 import org.apache.tapestry5.internal.services.messages.ClientLocalizationMessageResource;
 import org.apache.tapestry5.ioc.*;
 import org.apache.tapestry5.ioc.annotations.*;
+import org.apache.tapestry5.ioc.services.ChainBuilder;
 import org.apache.tapestry5.ioc.services.FactoryDefaults;
 import org.apache.tapestry5.ioc.services.SymbolProvider;
 import org.apache.tapestry5.services.*;
@@ -27,8 +31,6 @@ import org.apache.tapestry5.services.assets.*;
 import org.apache.tapestry5.services.javascript.JavaScriptStackSource;
 import org.apache.tapestry5.services.messages.ComponentMessagesSource;
 
-import java.util.Map;
-
 /**
  * @since 5.3
  */
@@ -272,7 +274,8 @@ public class AssetsModule
 
                                                       ClasspathAssetAliasManager classpathAssetAliasManager,
                                                       ResourceStreamer streamer,
-                                                      AssetSource assetSource)
+                                                      AssetSource assetSource,
+                                                      ClasspathAssetProtectionRule classpathAssetProtectionRule)
     {
         Map<String, String> mappings = classpathAssetAliasManager.getMappings();
 
@@ -280,7 +283,7 @@ public class AssetsModule
         {
             String path = mappings.get(folder);
 
-            configuration.add(folder, new ClasspathAssetRequestHandler(streamer, assetSource, path));
+            configuration.add(folder, new ClasspathAssetRequestHandler(streamer, assetSource, path, classpathAssetProtectionRule));
         }
 
         configuration.add(RequestConstants.CONTEXT_FOLDER,
@@ -353,4 +356,23 @@ public class AssetsModule
 
         configuration.add("Asset", assetDispatcher, "before:ComponentEvent");
     }
+    
+    @Primary
+    public static ClasspathAssetProtectionRule buildClasspathAssetProtectionRule(
+            List<ClasspathAssetProtectionRule> rules, ChainBuilder chainBuilder)
+    {
+        return chainBuilder.build(ClasspathAssetProtectionRule.class, rules);
+    }
+    
+    public static void contributeClasspathAssetProtectionRule(
+            OrderedConfiguration<ClasspathAssetProtectionRule> configuration) 
+    {
+        ClasspathAssetProtectionRule classFileRule = (s) -> s.toLowerCase().endsWith(".class");
+        configuration.add("ClassFile", classFileRule);
+        ClasspathAssetProtectionRule propertiesFileRule = (s) -> s.toLowerCase().endsWith(".properties");
+        configuration.add("PropertiesFile", propertiesFileRule);
+        ClasspathAssetProtectionRule xmlFileRule = (s) -> s.toLowerCase().endsWith(".xml");
+        configuration.add("XMLFile", xmlFileRule);
+    }
+    
 }

http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/d2d92473/tapestry-core/src/main/java/org/apache/tapestry5/services/ClasspathAssetProtectionRule.java
----------------------------------------------------------------------
diff --git a/tapestry-core/src/main/java/org/apache/tapestry5/services/ClasspathAssetProtectionRule.java b/tapestry-core/src/main/java/org/apache/tapestry5/services/ClasspathAssetProtectionRule.java
new file mode 100644
index 0000000..6f8af44
--- /dev/null
+++ b/tapestry-core/src/main/java/org/apache/tapestry5/services/ClasspathAssetProtectionRule.java
@@ -0,0 +1,33 @@
+// Copyright 2018 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.services;
+
+import org.apache.tapestry5.ioc.annotations.UsesOrderedConfiguration;
+
+/**
+ * Chain-of-responsibility service which defines rules for blocking access to classpath resources 
+ * based on their paths. Access is blocked if any rule says it should be blocked.
+ * 
+ * @see ComponentEventRequestHandler
+ */
+@UsesOrderedConfiguration(ClasspathAssetProtectionRule.class)
+public interface ClasspathAssetProtectionRule
+{
+    /**
+     * Tells whether the access to the resource with this path should be blocked or not.
+     * If this rule doesn't concern the given path, it should return false.
+     */
+    public boolean block(String path);
+}

http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/d2d92473/tapestry-core/src/test/app1/AssetProtectionDemo.tml
----------------------------------------------------------------------
diff --git a/tapestry-core/src/test/app1/AssetProtectionDemo.tml b/tapestry-core/src/test/app1/AssetProtectionDemo.tml
index e5e99db..e21bc61 100644
--- a/tapestry-core/src/test/app1/AssetProtectionDemo.tml
+++ b/tapestry-core/src/test/app1/AssetProtectionDemo.tml
@@ -16,6 +16,9 @@
     <li><a href="${asset:context:META-INF/unavailable2.txt}">unavailable2.txt</a></li>
     <li><a href="${asset:context:AssetProtectionDemo.tml}">tml file</a></li>
     <li><a href="${asset:context:music/MusicDetails.tml}">nested tml file</a></li>
+    <li><a href="/assets/app//services/AppModule.class">.class file in the classpath</a></li>
+    <li><a href="${asset:classpath:/org/apache/tapestry5/integration/app1/fakeconfiguration.properties}">.properties file in the classpath</a></li>
+    <li><a href="${asset:classpath:/org/apache/tapestry5/integration/app1/fakeconfiguration.xml}">.xml file in the classpath</a></li>    
 </ul>
 
 </html>

http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/d2d92473/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.properties
----------------------------------------------------------------------
diff --git a/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.properties b/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.properties
new file mode 100644
index 0000000..2568df2
--- /dev/null
+++ b/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.properties
@@ -0,0 +1 @@
+accessible.by.users=false
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/d2d92473/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.xml
----------------------------------------------------------------------
diff --git a/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.xml b/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.xml
new file mode 100644
index 0000000..709a5aa
--- /dev/null
+++ b/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.xml
@@ -0,0 +1 @@
+<accesible-by-users>false</accesible-by-users>
\ No newline at end of file