You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by ro...@apache.org on 2009/12/09 21:28:14 UTC
svn commit: r888946 - in /tapestry/tapestry5/trunk/tapestry-core/src:
main/java/org/apache/tapestry5/
main/java/org/apache/tapestry5/internal/services/
main/java/org/apache/tapestry5/services/ test/app1/
test/java/org/apache/tapestry5/integration/ test...
Author: robertdzeigler
Date: Wed Dec 9 20:28:13 2009
New Revision: 888946
URL: http://svn.apache.org/viewvc?rev=888946&view=rev
Log:
TAP5-815: Asset dispatcher allows any file inside the webapp visible and downloadable
Return 404 instead of 403 for restricted paths; removes chenillekit contribution; adds default contribution for context assets; adds integration test.
Added:
tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml
tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt
tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java
Modified:
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java?rev=888946&r1=888945&r2=888946&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java Wed Dec 9 20:28:13 2009
@@ -275,4 +275,13 @@
*/
public static final String BLACKBIRD = "tapestry.blackbird";
+ /**
+ * Whether assets in the web application's context directory are available by default.
+ * If true (the default), tapestry will provide conributions to the appropriate services (RegexAuthorizer) to allow access
+ * to .js, .jpg, .jpeg, .png, .gif, and .css assets that reside within the application context.
+ * If false, no such contributions will be made, and access to those resources will be restricted
+ * without explicit user contributions.
+ */
+ public static final String CONTEXT_ASSETS_AVAILABLE ="tapestry.context-assets-available";
+
}
Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java?rev=888946&r1=888945&r2=888946&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java Wed Dec 9 20:28:13 2009
@@ -77,7 +77,7 @@
if (auth.accessDenied(resourcePath))
{
logger.debug("Denying access to " + resourcePath);
- response.sendError(HttpServletResponse.SC_FORBIDDEN,resourcePath);
+ response.sendError(HttpServletResponse.SC_NOT_FOUND, resourcePath);
return true;
}
}
Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java?rev=888946&r1=888945&r2=888946&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java Wed Dec 9 20:28:13 2009
@@ -2113,6 +2113,8 @@
configuration.add(SymbolConstants.ENCODE_LOCALE_INTO_PATH, "true");
configuration.add(SymbolConstants.BLACKBIRD_ENABLED, "false");
+
+ configuration.add(SymbolConstants.CONTEXT_ASSETS_AVAILABLE, "true");
}
@@ -2508,13 +2510,16 @@
public void contributeRegexAuthorizer(Configuration<String> regex,
@Symbol("tapestry.scriptaculous.path") String scriptPath,
@Symbol("tapestry.blackbird.path") String blackbirdPath,
- @Symbol("tapestry.datepicker.path") String datepickerPath)
- {
- //allow any js, jpg, jpeg, png, or css under org/chenillekit/tapstry. The funky bit of ([^/.]+/)* is what allows
+ @Symbol("tapestry.datepicker.path") String datepickerPath,
+ @Symbol(SymbolConstants.CONTEXT_ASSETS_AVAILABLE) boolean contextAvailable,
+ @Symbol(SymbolConstants.APPLICATION_VERSION) String appVersion)
+ {
+ //allow any js, jpg, jpeg, png, or css under org/apache/tapestry5, along with
+ //resources for blackbird, scriptaculous, and the date picker.
+ // The funky bit of ([^/.]+/)* is what allows
//multiple paths, while not allowing any of those paths to contains ./ or ../ thereby preventing paths like:
- //org/chenillekit/tapestry/../../../foo.js
+ //org/apache/tapestry5/../../../foo.js
String pathPattern = "([^/.]+/)*[^/.]+\\.((css)|(js)|(jpg)|(jpeg)|(png)|(gif))$";
- regex.add("^org/chenillekit/tapestry/" + pathPattern);
regex.add("^org/apache/tapestry5/" + pathPattern);
@@ -2523,6 +2528,10 @@
regex.add(scriptPath + "/" + pathPattern);
//allow access to virtual assets. Critical for tapestry-combined js files.
regex.add("virtual/" + pathPattern);
+
+ if (contextAvailable) {
+ regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + "/" + pathPattern);
+ }
}
}
Added: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml?rev=888946&view=auto
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml (added)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml Wed Dec 9 20:28:13 2009
@@ -0,0 +1,4 @@
+<html t:type="Border" xmlns:t="http://tapestry.apache.org/schema/tapestry_5_1_0.xsd">
+ <a href="${asset:context:availablefile.txt}">Available File</a>
+ <a href="${asset:context:unavailablefile.txt}">Unavailable File</a>
+</html>
\ No newline at end of file
Added: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt?rev=888946&view=auto
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt (added)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt Wed Dec 9 20:28:13 2009
@@ -0,0 +1 @@
+This file should be available to clients.
\ No newline at end of file
Added: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt?rev=888946&view=auto
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt (added)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt Wed Dec 9 20:28:13 2009
@@ -0,0 +1 @@
+This file should not be available to clients.
\ No newline at end of file
Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java?rev=888946&r1=888945&r2=888946&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java Wed Dec 9 20:28:13 2009
@@ -3225,4 +3225,17 @@
assertTextPresent("Car Model: E-Class");
}
+
+ /** TAP5-815 */
+ @Test
+ public void testAssetProtection()
+ {
+ start("Asset Protection Demo");
+ clickAndWait("link=Unavailable File");
+ assertTextPresent("404");
+
+ start("Asset Protection Demo");
+ clickAndWait("link=Available File");
+ assertTextPresent("This file should be available to clients.");
+ }
}
Added: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java?rev=888946&view=auto
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java (added)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java Wed Dec 9 20:28:13 2009
@@ -0,0 +1,19 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.integration.app1.pages;
+
+public class AssetProtectionDemo
+{
+}
Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java?rev=888946&r1=888945&r2=888946&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java Wed Dec 9 20:28:13 2009
@@ -391,7 +391,9 @@
new Item("ImageSubmitDemo", "Submit with an Image Demo", "Make sure that submit with the image parameter set triggers the 'selected' event."),
- new Item("SelectZoneDemo", "Select Zone Demo", "Use a Select component to update a zone.")
+ new Item("SelectZoneDemo", "Select Zone Demo", "Use a Select component to update a zone."),
+
+ new Item("AssetProtectionDemo", "Asset Protection Demo", "AssetProtectionDispatcher is properly contributed and functioning")
);
Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java?rev=888946&r1=888945&r2=888946&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java Wed Dec 9 20:28:13 2009
@@ -23,6 +23,7 @@
import org.apache.tapestry5.ioc.MappedConfiguration;
import org.apache.tapestry5.ioc.OrderedConfiguration;
import org.apache.tapestry5.ioc.annotations.Marker;
+import org.apache.tapestry5.ioc.annotations.Symbol;
import org.apache.tapestry5.ioc.internal.util.CollectionFactory;
import org.apache.tapestry5.services.*;
import org.apache.tapestry5.test.JettyRunner;
@@ -258,21 +259,9 @@
configuration.add("ReverseStringsWorker", new ReverseStringsWorker());
}
- public static void contributeRegexAuthorizer(Configuration<String> configuration) {
- //use this rather than a blanket regex (^.*.jpg$, etc.); want to be sure that tests pass from the default
- //configuration setup, (eg: this way, I realized that the "virtual" assets folder
- //needed to be opened up in the tapestry-provided contributions) rather than from some blanket configuration in the appmodule
- //opening up all css, js, etc. files.
- //would contribute to whitelist except that the resource path between ctxt and the rest of the path can change.
- configuration.add("^ctx/[^/]+/css/app\\.css$");
- configuration.add("^ctx/[^/]+/layout/style\\.css$");
- configuration.add("^ctx/[^/]+/layout/images/bg\\.gif$");
- configuration.add("^ctx/[^/]+/layout/images/header\\.gif$");
- configuration.add("^ctx/[^/]+/layout/images/rightsmall\\.gif$");
- configuration.add("^ctx/[^/]+/layout/images/rightbig\\.gif$");
- configuration.add("^ctx/[^/]+/layout/images/bottom\\.gif$");
- configuration.add("^ctx/[^/]+/layout/images/footer\\.gif$");
- configuration.add("^ctx/[^/]+/images/tapestry_banner\\.gif$");
- configuration.add("^ctx/[^/]+/images/asf_logo_wide\\.gif$");
+ public static void contributeWhitelistAuthorizer(
+ Configuration<String> configuration,
+ @Symbol(SymbolConstants.APPLICATION_VERSION) String appVersion) {
+ configuration.add("ctx/" + appVersion + "/availablefile.txt");
}
}
Re: svn commit: r888946 - in /tapestry/tapestry5/trunk/tapestry-core/src: main/java/org/apache/tapestry5/ main/java/org/apache/tapestry5/internal/services/ main/java/org/apache/tapestry5/services/ test/app1/ test/java/org/apache/tapestry5/integration/ test...
Posted by Robert Zeigler <ro...@scazdl.org>.
Good catch. I'll fix it.
Robert
On Dec 10, 2009, at 12/101:53 AM , Ulrich Stärk wrote:
> +1
>
> That's a good compromise.
>
> Code format is not consistent though; in some places opening
> brackets are not on a new line in others they are.
>
> Uli
>
> On 09.12.2009 21:28 schrieb robertdzeigler@apache.org:
>> Author: robertdzeigler
>> Date: Wed Dec 9 20:28:13 2009
>> New Revision: 888946
>>
>> URL: http://svn.apache.org/viewvc?rev=888946&view=rev
>> Log:
>> TAP5-815: Asset dispatcher allows any file inside the webapp
>> visible and downloadable
>> Return 404 instead of 403 for restricted paths; removes chenillekit
>> contribution; adds default contribution for context assets; adds
>> integration test.
>>
>> Added:
>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/
>> AssetProtectionDemo.tml
>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/
>> availablefile.txt
>> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/
>> unavailablefile.txt
>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/
>> tapestry5/integration/app1/pages/AssetProtectionDemo.java
>> Modified:
>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/
>> tapestry5/SymbolConstants.java
>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/
>> tapestry5/internal/services/AssetProtectionDispatcher.java
>> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/
>> tapestry5/services/TapestryModule.java
>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/
>> tapestry5/integration/IntegrationTests.java
>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/
>> tapestry5/integration/app1/pages/Index.java
>> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/
>> tapestry5/integration/app1/services/AppModule.java
>>
>> Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/
>> apache/tapestry5/SymbolConstants.java
>> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java?rev=888946&r1=888945&r2=888946&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/
>> tapestry5/SymbolConstants.java (original)
>> +++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/
>> tapestry5/SymbolConstants.java Wed Dec 9 20:28:13 2009
>> @@ -275,4 +275,13 @@
>> */
>> public static final String BLACKBIRD = "tapestry.blackbird";
>>
>> + /**
>> + * Whether assets in the web application's context directory
>> are available by default.
>> + * If true (the default), tapestry will provide conributions
>> to the appropriate services (RegexAuthorizer) to allow access
>> + * to .js, .jpg, .jpeg, .png, .gif, and .css assets that
>> reside within the application context.
>> + * If false, no such contributions will be made, and access to
>> those resources will be restricted
>> + * without explicit user contributions.
>> + */
>> + public static final String CONTEXT_ASSETS_AVAILABLE
>> ="tapestry.context-assets-available";
>> +
>> }
>>
>> Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/
>> apache/tapestry5/internal/services/AssetProtectionDispatcher.java
>> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java?rev=888946&r1=888945&r2=888946&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/
>> tapestry5/internal/services/AssetProtectionDispatcher.java (original)
>> +++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/
>> tapestry5/internal/services/AssetProtectionDispatcher.java Wed Dec
>> 9 20:28:13 2009
>> @@ -77,7 +77,7 @@
>> if (auth.accessDenied(resourcePath))
>> {
>> logger.debug("Denying access to " +
>> resourcePath);
>> -
>> response.sendError(HttpServletResponse.SC_FORBIDDEN,resourcePath);
>> +
>> response.sendError(HttpServletResponse.SC_NOT_FOUND, resourcePath);
>> return true;
>> }
>> }
>>
>> Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/
>> apache/tapestry5/services/TapestryModule.java
>> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java?rev=888946&r1=888945&r2=888946&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/
>> tapestry5/services/TapestryModule.java (original)
>> +++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/
>> tapestry5/services/TapestryModule.java Wed Dec 9 20:28:13 2009
>> @@ -2113,6 +2113,8 @@
>> configuration.add(SymbolConstants.ENCODE_LOCALE_INTO_PATH,
>> "true");
>>
>> configuration.add(SymbolConstants.BLACKBIRD_ENABLED,
>> "false");
>> +
>> +
>> configuration.add(SymbolConstants.CONTEXT_ASSETS_AVAILABLE, "true");
>> }
>>
>>
>> @@ -2508,13 +2510,16 @@
>> public void contributeRegexAuthorizer(Configuration<String>
>> regex,
>> @Symbol("tapestry.scriptaculous.path") String
>> scriptPath,
>> @Symbol("tapestry.blackbird.path") String
>> blackbirdPath,
>> - @Symbol("tapestry.datepicker.path") String
>> datepickerPath)
>> - {
>> - //allow any js, jpg, jpeg, png, or css under org/
>> chenillekit/tapstry. The funky bit of ([^/.]+/)* is what allows
>> + @Symbol("tapestry.datepicker.path") String
>> datepickerPath,
>> + @Symbol(SymbolConstants.CONTEXT_ASSETS_AVAILABLE)
>> boolean contextAvailable,
>> + @Symbol(SymbolConstants.APPLICATION_VERSION)
>> String appVersion)
>> + {
>> + //allow any js, jpg, jpeg, png, or css under org/apache/
>> tapestry5, along with
>> + //resources for blackbird, scriptaculous, and the date
>> picker.
>> + // The funky bit of ([^/.]+/)* is what allows
>> //multiple paths, while not allowing any of those paths to
>> contains ./ or ../ thereby preventing paths like:
>> - //org/chenillekit/tapestry/../../../foo.js
>> + //org/apache/tapestry5/../../../foo.js
>> String pathPattern = "([^/.]+/)*[^/.]+\\.((css)|(js)|(jpg)|
>> (jpeg)|(png)|(gif))$";
>> - regex.add("^org/chenillekit/tapestry/" + pathPattern);
>>
>> regex.add("^org/apache/tapestry5/" + pathPattern);
>>
>> @@ -2523,6 +2528,10 @@
>> regex.add(scriptPath + "/" + pathPattern);
>> //allow access to virtual assets. Critical for tapestry-
>> combined js files.
>> regex.add("virtual/" + pathPattern);
>> +
>> + if (contextAvailable) {
>> + regex.add(RequestConstants.CONTEXT_FOLDER + appVersion
>> + "/" + pathPattern);
>> + }
>> }
>>
>> }
>>
>> Added: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/
>> AssetProtectionDemo.tml
>> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml?rev=888946&view=auto
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/
>> AssetProtectionDemo.tml (added)
>> +++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/
>> AssetProtectionDemo.tml Wed Dec 9 20:28:13 2009
>> @@ -0,0 +1,4 @@
>> +<html t:type="Border" xmlns:t="http://tapestry.apache.org/schema/tapestry_5_1_0.xsd
>> ">
>> +<a href="${asset:context:availablefile.txt}">Available File</a>
>> +<a href="${asset:context:unavailablefile.txt}">Unavailable File</a>
>> +</html>
>> \ No newline at end of file
>>
>> Added: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/
>> availablefile.txt
>> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt?rev=888946&view=auto
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/
>> availablefile.txt (added)
>> +++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/
>> availablefile.txt Wed Dec 9 20:28:13 2009
>> @@ -0,0 +1 @@
>> +This file should be available to clients.
>> \ No newline at end of file
>>
>> Added: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/
>> unavailablefile.txt
>> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt?rev=888946&view=auto
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/
>> unavailablefile.txt (added)
>> +++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/
>> unavailablefile.txt Wed Dec 9 20:28:13 2009
>> @@ -0,0 +1 @@
>> +This file should not be available to clients.
>> \ No newline at end of file
>>
>> Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/
>> apache/tapestry5/integration/IntegrationTests.java
>> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java?rev=888946&r1=888945&r2=888946&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/
>> tapestry5/integration/IntegrationTests.java (original)
>> +++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/
>> tapestry5/integration/IntegrationTests.java Wed Dec 9 20:28:13 2009
>> @@ -3225,4 +3225,17 @@
>>
>> assertTextPresent("Car Model: E-Class");
>> }
>> +
>> + /** TAP5-815 */
>> + @Test
>> + public void testAssetProtection()
>> + {
>> + start("Asset Protection Demo");
>> + clickAndWait("link=Unavailable File");
>> + assertTextPresent("404");
>> +
>> + start("Asset Protection Demo");
>> + clickAndWait("link=Available File");
>> + assertTextPresent("This file should be available to
>> clients.");
>> + }
>> }
>>
>> Added: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/
>> apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java
>> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java?rev=888946&view=auto
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/
>> tapestry5/integration/app1/pages/AssetProtectionDemo.java (added)
>> +++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/
>> tapestry5/integration/app1/pages/AssetProtectionDemo.java Wed Dec
>> 9 20:28:13 2009
>> @@ -0,0 +1,19 @@
>> +// Copyright 2009 The Apache Software Foundation
>> +//
>> +// Licensed under the Apache License, Version 2.0 (the "License");
>> +// you may not use this file except in compliance with the License.
>> +// You may obtain a copy of the License at
>> +//
>> +// http://www.apache.org/licenses/LICENSE-2.0
>> +//
>> +// Unless required by applicable law or agreed to in writing,
>> software
>> +// distributed under the License is distributed on an "AS IS" BASIS,
>> +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
>> implied.
>> +// See the License for the specific language governing permissions
>> and
>> +// limitations under the License.
>> +
>> +package org.apache.tapestry5.integration.app1.pages;
>> +
>> +public class AssetProtectionDemo
>> +{
>> +}
>>
>> Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/
>> apache/tapestry5/integration/app1/pages/Index.java
>> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java?rev=888946&r1=888945&r2=888946&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/
>> tapestry5/integration/app1/pages/Index.java (original)
>> +++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/
>> tapestry5/integration/app1/pages/Index.java Wed Dec 9 20:28:13 2009
>> @@ -391,7 +391,9 @@
>>
>> new Item("ImageSubmitDemo", "Submit with an Image
>> Demo", "Make sure that submit with the image parameter set triggers
>> the 'selected' event."),
>>
>> - new Item("SelectZoneDemo", "Select Zone Demo", "Use a
>> Select component to update a zone.")
>> + new Item("SelectZoneDemo", "Select Zone Demo", "Use a
>> Select component to update a zone."),
>> +
>> + new Item("AssetProtectionDemo", "Asset Protection
>> Demo", "AssetProtectionDispatcher is properly contributed and
>> functioning")
>>
>> );
>>
>>
>> Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/
>> apache/tapestry5/integration/app1/services/AppModule.java
>> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java?rev=888946&r1=888945&r2=888946&view=diff
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =
>> =====================================================================
>> --- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/
>> tapestry5/integration/app1/services/AppModule.java (original)
>> +++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/
>> tapestry5/integration/app1/services/AppModule.java Wed Dec 9
>> 20:28:13 2009
>> @@ -23,6 +23,7 @@
>> import org.apache.tapestry5.ioc.MappedConfiguration;
>> import org.apache.tapestry5.ioc.OrderedConfiguration;
>> import org.apache.tapestry5.ioc.annotations.Marker;
>> +import org.apache.tapestry5.ioc.annotations.Symbol;
>> import org.apache.tapestry5.ioc.internal.util.CollectionFactory;
>> import org.apache.tapestry5.services.*;
>> import org.apache.tapestry5.test.JettyRunner;
>> @@ -258,21 +259,9 @@
>> configuration.add("ReverseStringsWorker", new
>> ReverseStringsWorker());
>> }
>>
>> - public static void
>> contributeRegexAuthorizer(Configuration<String> configuration) {
>> - //use this rather than a blanket regex (^.*.jpg$, etc.);
>> want to be sure that tests pass from the default
>> - //configuration setup, (eg: this way, I realized that the
>> "virtual" assets folder
>> - //needed to be opened up in the tapestry-provided
>> contributions) rather than from some blanket configuration in the
>> appmodule
>> - //opening up all css, js, etc. files.
>> - //would contribute to whitelist except that the resource
>> path between ctxt and the rest of the path can change.
>> - configuration.add("^ctx/[^/]+/css/app\\.css$");
>> - configuration.add("^ctx/[^/]+/layout/style\\.css$");
>> - configuration.add("^ctx/[^/]+/layout/images/bg\\.gif$");
>> - configuration.add("^ctx/[^/]+/layout/images/header\\.gif$");
>> - configuration.add("^ctx/[^/]+/layout/images/rightsmall\
>> \.gif$");
>> - configuration.add("^ctx/[^/]+/layout/images/rightbig\\.gif
>> $");
>> - configuration.add("^ctx/[^/]+/layout/images/bottom\\.gif$");
>> - configuration.add("^ctx/[^/]+/layout/images/footer\\.gif$");
>> - configuration.add("^ctx/[^/]+/images/tapestry_banner\\.gif
>> $");
>> - configuration.add("^ctx/[^/]+/images/asf_logo_wide\\.gif$");
>> + public static void contributeWhitelistAuthorizer(
>> + Configuration<String> configuration,
>> + @Symbol(SymbolConstants.APPLICATION_VERSION) String
>> appVersion) {
>> + configuration.add("ctx/" + appVersion + "/
>> availablefile.txt");
>> }
>> }
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: dev-help@tapestry.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
Re: svn commit: r888946 - in /tapestry/tapestry5/trunk/tapestry-core/src:
main/java/org/apache/tapestry5/ main/java/org/apache/tapestry5/internal/services/
main/java/org/apache/tapestry5/services/ test/app1/ test/java/org/apache/tapestry5/integration/
test...
Posted by Ulrich Stärk <ul...@spielviel.de>.
+1
That's a good compromise.
Code format is not consistent though; in some places opening brackets are not on a new line in
others they are.
Uli
On 09.12.2009 21:28 schrieb robertdzeigler@apache.org:
> Author: robertdzeigler
> Date: Wed Dec 9 20:28:13 2009
> New Revision: 888946
>
> URL: http://svn.apache.org/viewvc?rev=888946&view=rev
> Log:
> TAP5-815: Asset dispatcher allows any file inside the webapp visible and downloadable
> Return 404 instead of 403 for restricted paths; removes chenillekit contribution; adds default contribution for context assets; adds integration test.
>
> Added:
> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml
> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt
> tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt
> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java
> Modified:
> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java
> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
> tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java
> tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
>
> Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java
> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java?rev=888946&r1=888945&r2=888946&view=diff
> ==============================================================================
> --- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java (original)
> +++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java Wed Dec 9 20:28:13 2009
> @@ -275,4 +275,13 @@
> */
> public static final String BLACKBIRD = "tapestry.blackbird";
>
> + /**
> + * Whether assets in the web application's context directory are available by default.
> + * If true (the default), tapestry will provide conributions to the appropriate services (RegexAuthorizer) to allow access
> + * to .js, .jpg, .jpeg, .png, .gif, and .css assets that reside within the application context.
> + * If false, no such contributions will be made, and access to those resources will be restricted
> + * without explicit user contributions.
> + */
> + public static final String CONTEXT_ASSETS_AVAILABLE ="tapestry.context-assets-available";
> +
> }
>
> Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java?rev=888946&r1=888945&r2=888946&view=diff
> ==============================================================================
> --- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java (original)
> +++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java Wed Dec 9 20:28:13 2009
> @@ -77,7 +77,7 @@
> if (auth.accessDenied(resourcePath))
> {
> logger.debug("Denying access to " + resourcePath);
> - response.sendError(HttpServletResponse.SC_FORBIDDEN,resourcePath);
> + response.sendError(HttpServletResponse.SC_NOT_FOUND, resourcePath);
> return true;
> }
> }
>
> Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java?rev=888946&r1=888945&r2=888946&view=diff
> ==============================================================================
> --- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java (original)
> +++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java Wed Dec 9 20:28:13 2009
> @@ -2113,6 +2113,8 @@
> configuration.add(SymbolConstants.ENCODE_LOCALE_INTO_PATH, "true");
>
> configuration.add(SymbolConstants.BLACKBIRD_ENABLED, "false");
> +
> + configuration.add(SymbolConstants.CONTEXT_ASSETS_AVAILABLE, "true");
> }
>
>
> @@ -2508,13 +2510,16 @@
> public void contributeRegexAuthorizer(Configuration<String> regex,
> @Symbol("tapestry.scriptaculous.path") String scriptPath,
> @Symbol("tapestry.blackbird.path") String blackbirdPath,
> - @Symbol("tapestry.datepicker.path") String datepickerPath)
> - {
> - //allow any js, jpg, jpeg, png, or css under org/chenillekit/tapstry. The funky bit of ([^/.]+/)* is what allows
> + @Symbol("tapestry.datepicker.path") String datepickerPath,
> + @Symbol(SymbolConstants.CONTEXT_ASSETS_AVAILABLE) boolean contextAvailable,
> + @Symbol(SymbolConstants.APPLICATION_VERSION) String appVersion)
> + {
> + //allow any js, jpg, jpeg, png, or css under org/apache/tapestry5, along with
> + //resources for blackbird, scriptaculous, and the date picker.
> + // The funky bit of ([^/.]+/)* is what allows
> //multiple paths, while not allowing any of those paths to contains ./ or ../ thereby preventing paths like:
> - //org/chenillekit/tapestry/../../../foo.js
> + //org/apache/tapestry5/../../../foo.js
> String pathPattern = "([^/.]+/)*[^/.]+\\.((css)|(js)|(jpg)|(jpeg)|(png)|(gif))$";
> - regex.add("^org/chenillekit/tapestry/" + pathPattern);
>
> regex.add("^org/apache/tapestry5/" + pathPattern);
>
> @@ -2523,6 +2528,10 @@
> regex.add(scriptPath + "/" + pathPattern);
> //allow access to virtual assets. Critical for tapestry-combined js files.
> regex.add("virtual/" + pathPattern);
> +
> + if (contextAvailable) {
> + regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + "/" + pathPattern);
> + }
> }
>
> }
>
> Added: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml
> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml?rev=888946&view=auto
> ==============================================================================
> --- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml (added)
> +++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml Wed Dec 9 20:28:13 2009
> @@ -0,0 +1,4 @@
> +<html t:type="Border" xmlns:t="http://tapestry.apache.org/schema/tapestry_5_1_0.xsd">
> +<a href="${asset:context:availablefile.txt}">Available File</a>
> +<a href="${asset:context:unavailablefile.txt}">Unavailable File</a>
> +</html>
> \ No newline at end of file
>
> Added: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt
> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt?rev=888946&view=auto
> ==============================================================================
> --- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt (added)
> +++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/availablefile.txt Wed Dec 9 20:28:13 2009
> @@ -0,0 +1 @@
> +This file should be available to clients.
> \ No newline at end of file
>
> Added: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt
> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt?rev=888946&view=auto
> ==============================================================================
> --- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt (added)
> +++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/unavailablefile.txt Wed Dec 9 20:28:13 2009
> @@ -0,0 +1 @@
> +This file should not be available to clients.
> \ No newline at end of file
>
> Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java?rev=888946&r1=888945&r2=888946&view=diff
> ==============================================================================
> --- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java (original)
> +++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java Wed Dec 9 20:28:13 2009
> @@ -3225,4 +3225,17 @@
>
> assertTextPresent("Car Model: E-Class");
> }
> +
> + /** TAP5-815 */
> + @Test
> + public void testAssetProtection()
> + {
> + start("Asset Protection Demo");
> + clickAndWait("link=Unavailable File");
> + assertTextPresent("404");
> +
> + start("Asset Protection Demo");
> + clickAndWait("link=Available File");
> + assertTextPresent("This file should be available to clients.");
> + }
> }
>
> Added: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java
> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java?rev=888946&view=auto
> ==============================================================================
> --- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java (added)
> +++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java Wed Dec 9 20:28:13 2009
> @@ -0,0 +1,19 @@
> +// Copyright 2009 The Apache Software Foundation
> +//
> +// Licensed under the Apache License, Version 2.0 (the "License");
> +// you may not use this file except in compliance with the License.
> +// You may obtain a copy of the License at
> +//
> +// http://www.apache.org/licenses/LICENSE-2.0
> +//
> +// Unless required by applicable law or agreed to in writing, software
> +// distributed under the License is distributed on an "AS IS" BASIS,
> +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> +// See the License for the specific language governing permissions and
> +// limitations under the License.
> +
> +package org.apache.tapestry5.integration.app1.pages;
> +
> +public class AssetProtectionDemo
> +{
> +}
>
> Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java
> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java?rev=888946&r1=888945&r2=888946&view=diff
> ==============================================================================
> --- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java (original)
> +++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java Wed Dec 9 20:28:13 2009
> @@ -391,7 +391,9 @@
>
> new Item("ImageSubmitDemo", "Submit with an Image Demo", "Make sure that submit with the image parameter set triggers the 'selected' event."),
>
> - new Item("SelectZoneDemo", "Select Zone Demo", "Use a Select component to update a zone.")
> + new Item("SelectZoneDemo", "Select Zone Demo", "Use a Select component to update a zone."),
> +
> + new Item("AssetProtectionDemo", "Asset Protection Demo", "AssetProtectionDispatcher is properly contributed and functioning")
>
> );
>
>
> Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java?rev=888946&r1=888945&r2=888946&view=diff
> ==============================================================================
> --- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java (original)
> +++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java Wed Dec 9 20:28:13 2009
> @@ -23,6 +23,7 @@
> import org.apache.tapestry5.ioc.MappedConfiguration;
> import org.apache.tapestry5.ioc.OrderedConfiguration;
> import org.apache.tapestry5.ioc.annotations.Marker;
> +import org.apache.tapestry5.ioc.annotations.Symbol;
> import org.apache.tapestry5.ioc.internal.util.CollectionFactory;
> import org.apache.tapestry5.services.*;
> import org.apache.tapestry5.test.JettyRunner;
> @@ -258,21 +259,9 @@
> configuration.add("ReverseStringsWorker", new ReverseStringsWorker());
> }
>
> - public static void contributeRegexAuthorizer(Configuration<String> configuration) {
> - //use this rather than a blanket regex (^.*.jpg$, etc.); want to be sure that tests pass from the default
> - //configuration setup, (eg: this way, I realized that the "virtual" assets folder
> - //needed to be opened up in the tapestry-provided contributions) rather than from some blanket configuration in the appmodule
> - //opening up all css, js, etc. files.
> - //would contribute to whitelist except that the resource path between ctxt and the rest of the path can change.
> - configuration.add("^ctx/[^/]+/css/app\\.css$");
> - configuration.add("^ctx/[^/]+/layout/style\\.css$");
> - configuration.add("^ctx/[^/]+/layout/images/bg\\.gif$");
> - configuration.add("^ctx/[^/]+/layout/images/header\\.gif$");
> - configuration.add("^ctx/[^/]+/layout/images/rightsmall\\.gif$");
> - configuration.add("^ctx/[^/]+/layout/images/rightbig\\.gif$");
> - configuration.add("^ctx/[^/]+/layout/images/bottom\\.gif$");
> - configuration.add("^ctx/[^/]+/layout/images/footer\\.gif$");
> - configuration.add("^ctx/[^/]+/images/tapestry_banner\\.gif$");
> - configuration.add("^ctx/[^/]+/images/asf_logo_wide\\.gif$");
> + public static void contributeWhitelistAuthorizer(
> + Configuration<String> configuration,
> + @Symbol(SymbolConstants.APPLICATION_VERSION) String appVersion) {
> + configuration.add("ctx/" + appVersion + "/availablefile.txt");
> }
> }
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org