You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by ro...@apache.org on 2009/12/11 00:43:51 UTC
svn commit: r889469 - in /tapestry/tapestry5/branches/5.0/tapestry-core/src: main/java/org/apache/tapestry5/ main/java/org/apache/tapestry5/internal/services/ main/java/org/apache/tapestry5/services/ test/app1/ test/java/org/apache/tapestry5/integratio...

Author: robertdzeigler
Date: Thu Dec 10 23:43:50 2009
New Revision: 889469

URL: http://svn.apache.org/viewvc?rev=889469&view=rev
Log:
TAP5-815: Asset dispatcher allows any file inside the webapp visible and downloadable
Backport changes from trunk to 5.0: 404 returned instead or 403 for restricted assets; add a new integration test; fix AssetProtectionDispatcher unit test. 
Note that opening up context assets is unnecessary for the 5.0 branch because it handles context assets by generating a url for them that is handled by the servlet container, rather than the AssetDispatcher.


Added:
    tapestry/tapestry5/branches/5.0/tapestry-core/src/test/app1/AssetProtectionDemo.tml
    tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java
    tapestry/tapestry5/branches/5.0/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/pages/availablefile.txt
    tapestry/tapestry5/branches/5.0/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/pages/unavailablefile.txt
Modified:
    tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java
    tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
    tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
    tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
    tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java
    tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
    tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java

Modified: tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java?rev=889469&r1=889468&r2=889469&view=diff
==============================================================================
--- tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java (original)
+++ tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/SymbolConstants.java Thu Dec 10 23:43:50 2009
@@ -98,4 +98,5 @@
      * Per-page initialization always goes at the bottom.
      */
     public static final String SCRIPTS_AT_TOP = "tapestry.script-at-top";
+
 }

Modified: tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java?rev=889469&r1=889468&r2=889469&view=diff
==============================================================================
--- tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java (original)
+++ tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java Thu Dec 10 23:43:50 2009
@@ -77,7 +77,7 @@
                     if (auth.accessDenied(resourcePath))
                     {
                         logger.debug("Denying access to " + resourcePath);
-                        response.sendError(HttpServletResponse.SC_FORBIDDEN,resourcePath);
+                        response.sendError(HttpServletResponse.SC_NOT_FOUND,resourcePath);
                         return true;
                     }
                 }

Modified: tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java?rev=889469&r1=889468&r2=889469&view=diff
==============================================================================
--- tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java (original)
+++ tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java Thu Dec 10 23:43:50 2009
@@ -2186,11 +2186,10 @@
                 @Symbol("tapestry.scriptaculous.path") String scriptPath,
                 @Symbol("tapestry.datepicker.path") String datepickerPath)
     {
-        //allow any js, jpg, jpeg, png, or css under org/chenillekit/tapstry. The funky bit of ([^/.]+/)* is what allows
+        //allow any js, jpg, jpeg, png, or css under org/apache/tapstry5. The funky bit of ([^/.]+/)* is what allows
         //multiple paths, while not allowing any of those paths to contains ./ or ../ thereby preventing paths like:
-        //org/chenillekit/tapestry/../../../foo.js
+        //org/apache/tapestry5/../../../foo.js
         String pathPattern = "([^/.]+/)*[^/.]+\\.((css)|(js)|(jpg)|(jpeg)|(png)|(gif))$";
-        regex.add("^org/chenillekit/tapestry/" + pathPattern);
 
         regex.add("^org/apache/tapestry5/" + pathPattern);
 

Added: tapestry/tapestry5/branches/5.0/tapestry-core/src/test/app1/AssetProtectionDemo.tml
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/test/app1/AssetProtectionDemo.tml?rev=889469&view=auto
==============================================================================
--- tapestry/tapestry5/branches/5.0/tapestry-core/src/test/app1/AssetProtectionDemo.tml (added)
+++ tapestry/tapestry5/branches/5.0/tapestry-core/src/test/app1/AssetProtectionDemo.tml Thu Dec 10 23:43:50 2009
@@ -0,0 +1,4 @@
+<html t:type="Border" xmlns:t="http://tapestry.apache.org/schema/tapestry_5_1_0.xsd">
+    <a href="${asset:classpath:/org/apache/tapestry5/integration/app1/pages/availablefile.txt}">Available File</a>
+    <a href="${asset:classpath:/org/apache/tapestry5/integration/app1/pages/unavailablefile.txt}">Unavailable File</a>
+</html>
\ No newline at end of file

Modified: tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java?rev=889469&r1=889468&r2=889469&view=diff
==============================================================================
--- tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java (original)
+++ tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java Thu Dec 10 23:43:50 2009
@@ -2513,4 +2513,17 @@
 
         assertTextPresent("Unable to add new method public final java.lang.String getName() as it already exists.");
     }
+
+    /** TAP5-815 */
+    @Test
+    public void testAssetProtection() throws InterruptedException
+    {
+        start("Asset Protection Demo");
+        clickAndWait("link=Unavailable File");
+        assertTextPresent("404");
+
+        start("Asset Protection Demo");
+        clickAndWait("link=Available File");
+        assertTextPresent("This file should be available to clients.");
+    }
 }

Added: tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java?rev=889469&view=auto
==============================================================================
--- tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java (added)
+++ tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/AssetProtectionDemo.java Thu Dec 10 23:43:50 2009
@@ -0,0 +1,19 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.integration.app1.pages;
+
+public class AssetProtectionDemo
+{
+}

Modified: tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java?rev=889469&r1=889468&r2=889469&view=diff
==============================================================================
--- tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java (original)
+++ tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java Thu Dec 10 23:43:50 2009
@@ -314,7 +314,10 @@
                      "Access to informal parameters names and values"),
 
             new Item("FormFieldOutsideForm", "Form Field Outside Form",
-                     "Nice exception message for common problem of form fields outside forms")
+                     "Nice exception message for common problem of form fields outside forms"),
+
+            new Item("AssetProtectionDemo", "Asset Protection Demo", "AssetProtectionDispatcher is properly contributed and functioning")
+
     );
 
     static

Modified: tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java?rev=889469&r1=889468&r2=889469&view=diff
==============================================================================
--- tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java (original)
+++ tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java Thu Dec 10 23:43:50 2009
@@ -239,21 +239,8 @@
         configuration.add("ReverseStringsWorker", new ReverseStringsWorker());
     }
 
-    public static void contributeRegexAuthorizer(Configuration<String> configuration) {
-        //use this rather than a blanket regex (^.*.jpg$, etc.); want to be sure that tests pass from the default
-        //configuration setup, (eg: this way, I realized that the "virtual" assets folder
-        //needed to be opened up in the tapestry-provided contributions) rather than from some blanket configuration in the appmodule
-        //opening up all css, js, etc. files.
-        //would contribute to whitelist except that the resource path between ctxt and the rest of the path can change.
-        configuration.add("^ctx/[^/]+/css/app\\.css$");
-        configuration.add("^ctx/[^/]+/layout/style\\.css$");
-        configuration.add("^ctx/[^/]+/layout/images/bg\\.gif$");
-        configuration.add("^ctx/[^/]+/layout/images/header\\.gif$");
-        configuration.add("^ctx/[^/]+/layout/images/rightsmall\\.gif$");
-        configuration.add("^ctx/[^/]+/layout/images/rightbig\\.gif$");
-        configuration.add("^ctx/[^/]+/layout/images/bottom\\.gif$");
-        configuration.add("^ctx/[^/]+/layout/images/footer\\.gif$");
-        configuration.add("^ctx/[^/]+/images/tapestry_banner\\.gif$");
-        configuration.add("^ctx/[^/]+/images/asf_logo_wide\\.gif$");
+    public static void contributeWhitelistAuthorizer(Configuration<String> configuration) 
+    {
+        configuration.add("org/apache/tapestry5/integration/app1/pages/availablefile.txt");
     }
 }

Modified: tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java?rev=889469&r1=889468&r2=889469&view=diff
==============================================================================
--- tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java (original)
+++ tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java Thu Dec 10 23:43:50 2009
@@ -75,7 +75,7 @@
         Response response = createMock(Response.class);
         expect(request.getPath()).andReturn(RequestConstants.ASSET_PATH_PREFIX + "/cayenne.xml");
         expect(request.getPath()).andReturn(RequestConstants.ASSET_PATH_PREFIX + "/org/apache/tapestry/default.css");
-        response.sendError(HttpServletResponse.SC_FORBIDDEN, "/cayenne.xml");
+        response.sendError(HttpServletResponse.SC_NOT_FOUND, "/cayenne.xml");
         
         ClasspathAssetAliasManager manager = createMock(ClasspathAssetAliasManager.class);
         expect(manager.toResourcePath(RequestConstants.ASSET_PATH_PREFIX + "/cayenne.xml")).andReturn("/cayenne.xml");

Added: tapestry/tapestry5/branches/5.0/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/pages/availablefile.txt
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/pages/availablefile.txt?rev=889469&view=auto
==============================================================================
--- tapestry/tapestry5/branches/5.0/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/pages/availablefile.txt (added)
+++ tapestry/tapestry5/branches/5.0/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/pages/availablefile.txt Thu Dec 10 23:43:50 2009
@@ -0,0 +1 @@
+This file should be available to clients.
\ No newline at end of file

Added: tapestry/tapestry5/branches/5.0/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/pages/unavailablefile.txt
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/pages/unavailablefile.txt?rev=889469&view=auto
==============================================================================
--- tapestry/tapestry5/branches/5.0/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/pages/unavailablefile.txt (added)
+++ tapestry/tapestry5/branches/5.0/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/pages/unavailablefile.txt Thu Dec 10 23:43:50 2009
@@ -0,0 +1 @@
+This file should not be available to clients.
\ No newline at end of file