Skip to content
Permalink
Browse files
TAP5-2601: Add configurable service to block access to classpath assets
  • Loading branch information
thiagohp committed Nov 23, 2018
1 parent a59d627 commit d2d9247358fe5cb35e3fa34db906a49287730e9e
Showing 5 changed files with 64 additions and 4 deletions.
@@ -12,6 +12,9 @@

package org.apache.tapestry5.modules;

import java.util.List;
import java.util.Map;

import org.apache.tapestry5.SymbolConstants;
import org.apache.tapestry5.internal.AssetConstants;
import org.apache.tapestry5.internal.InternalConstants;
@@ -20,15 +23,14 @@
import org.apache.tapestry5.internal.services.messages.ClientLocalizationMessageResource;
import org.apache.tapestry5.ioc.*;
import org.apache.tapestry5.ioc.annotations.*;
import org.apache.tapestry5.ioc.services.ChainBuilder;
import org.apache.tapestry5.ioc.services.FactoryDefaults;
import org.apache.tapestry5.ioc.services.SymbolProvider;
import org.apache.tapestry5.services.*;
import org.apache.tapestry5.services.assets.*;
import org.apache.tapestry5.services.javascript.JavaScriptStackSource;
import org.apache.tapestry5.services.messages.ComponentMessagesSource;

import java.util.Map;

/**
* @since 5.3
*/
@@ -272,15 +274,16 @@ public static void provideBuiltinAssetDispatchers(MappedConfiguration<String, As

ClasspathAssetAliasManager classpathAssetAliasManager,
ResourceStreamer streamer,
AssetSource assetSource)
AssetSource assetSource,
ClasspathAssetProtectionRule classpathAssetProtectionRule)
{
Map<String, String> mappings = classpathAssetAliasManager.getMappings();

for (String folder : mappings.keySet())
{
String path = mappings.get(folder);

configuration.add(folder, new ClasspathAssetRequestHandler(streamer, assetSource, path));
configuration.add(folder, new ClasspathAssetRequestHandler(streamer, assetSource, path, classpathAssetProtectionRule));
}

configuration.add(RequestConstants.CONTEXT_FOLDER,
@@ -353,4 +356,23 @@ public static void setupAssetDispatch(OrderedConfiguration<Dispatcher> configura

configuration.add("Asset", assetDispatcher, "before:ComponentEvent");
}

@Primary
public static ClasspathAssetProtectionRule buildClasspathAssetProtectionRule(
List<ClasspathAssetProtectionRule> rules, ChainBuilder chainBuilder)
{
return chainBuilder.build(ClasspathAssetProtectionRule.class, rules);
}

public static void contributeClasspathAssetProtectionRule(
OrderedConfiguration<ClasspathAssetProtectionRule> configuration)
{
ClasspathAssetProtectionRule classFileRule = (s) -> s.toLowerCase().endsWith(".class");
configuration.add("ClassFile", classFileRule);
ClasspathAssetProtectionRule propertiesFileRule = (s) -> s.toLowerCase().endsWith(".properties");
configuration.add("PropertiesFile", propertiesFileRule);
ClasspathAssetProtectionRule xmlFileRule = (s) -> s.toLowerCase().endsWith(".xml");
configuration.add("XMLFile", xmlFileRule);
}

}
@@ -0,0 +1,33 @@
// Copyright 2018 The Apache Software Foundation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package org.apache.tapestry5.services;

import org.apache.tapestry5.ioc.annotations.UsesOrderedConfiguration;

/**
* Chain-of-responsibility service which defines rules for blocking access to classpath resources
* based on their paths. Access is blocked if any rule says it should be blocked.
*
* @see ComponentEventRequestHandler
*/
@UsesOrderedConfiguration(ClasspathAssetProtectionRule.class)
public interface ClasspathAssetProtectionRule
{
/**
* Tells whether the access to the resource with this path should be blocked or not.
* If this rule doesn't concern the given path, it should return false.
*/
public boolean block(String path);
}
@@ -16,6 +16,9 @@
<li><a href="${asset:context:META-INF/unavailable2.txt}">unavailable2.txt</a></li>
<li><a href="${asset:context:AssetProtectionDemo.tml}">tml file</a></li>
<li><a href="${asset:context:music/MusicDetails.tml}">nested tml file</a></li>
<li><a href="/assets/app//services/AppModule.class">.class file in the classpath</a></li>
<li><a href="${asset:classpath:/org/apache/tapestry5/integration/app1/fakeconfiguration.properties}">.properties file in the classpath</a></li>
<li><a href="${asset:classpath:/org/apache/tapestry5/integration/app1/fakeconfiguration.xml}">.xml file in the classpath</a></li>
</ul>

</html>
@@ -0,0 +1 @@
accessible.by.users=false
@@ -0,0 +1 @@
<accesible-by-users>false</accesible-by-users>

0 comments on commit d2d9247

Please sign in to comment.