You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by "Jochen Kemnade (JIRA)" <ji...@apache.org> on 2014/05/13 15:23:26 UTC

[jira] [Closed] (TAP5-1005) The asset protection fails for some URLS in Tomcat

     [ https://issues.apache.org/jira/browse/TAP5-1005?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jochen Kemnade closed TAP5-1005.
--------------------------------

    Resolution: Not a Problem

Another year has passed since the last comment. Therefore, we assume this issue has either been resolved in the meantime or it is no longer relevant to you.
If recent versions of Tapestry (i.e. 5.4 betas and 5.3.7) are still affected, please reopen the issue and adjust the "Affected Version/s" property.

> The asset protection fails for some URLS in Tomcat
> --------------------------------------------------
>
>                 Key: TAP5-1005
>                 URL: https://issues.apache.org/jira/browse/TAP5-1005
>             Project: Tapestry 5
>          Issue Type: Bug
>          Components: tapestry-core
>    Affects Versions: 5.1.0.6, 5.1.0.7
>            Reporter: Sebastian Hennebrueder
>              Labels: bulk-close-candidate
>
> A URL like
> /mycontext/assets/de displays a file index on Tomcat 6 whereas /mycontext/assets/de/ denies access correctly.
> In fact any URL which is not a file and does not end with a / leeds to a directory index.
> I fixed this with a BlackListAuthorizer for my application.
> The URL /mycontext/assets/de leads to an empty 'someResourcePath' variable
> /mycontext/assets/de/foo leads to de/foo as variable value. My solution denies access for an empty resource path and in case that the last segment has no . I assume that in that case it is not a file like foo.jpg.
> Best Regards
> Sebastian Hennebrueder
> http://www.laliluna.de
> public class BlacklistAuthorizer implements AssetPathAuthorizer {
> 	final Logger logger = LoggerFactory.getLogger(BlacklistAuthorizer.class);
> 	private final Collection<String> configuration;
> 	public BlacklistAuthorizer(final Collection<String> configuration) {
> 		this.configuration = configuration;
> 	}
> 	public boolean accessAllowed(final String someResourcePath) {
> 		return true;
> 	}
> 	public boolean accessDenied(final String someResourcePath) {
> 		if (someResourcePath.endsWith("/")) {
> 			logger.debug("Denying access to {}", someResourcePath);
> 			return true;
> 		}
> 		if (someResourcePath.equals("")) {
> 			// this is mostly a bug fix for Tomcat for paths without trailing / like /assets/foo
> 			logger.debug("Denying access to empty resource path", someResourcePath);
> 			return true;
> 		}
> 		int pos = someResourcePath.lastIndexOf('/');
> 		if (pos < 0)
> 			pos = 0;
> 		String ending = someResourcePath.substring(pos);
> 		if (ending.indexOf('.') == -1) {
> 			// not a file like foo.pdf or foo.js
> 			logger.debug("Denying access to {}", someResourcePath);
> 			return true;
> 		}
> 		return false;
> 	}
> 	public List<Order> order() {
> 		return Arrays.asList(Order.DENY, Order.ALLOW);
> 	}
> }



--
This message was sent by Atlassian JIRA
(v6.2#6252)