TAP5-2601: Add configurable service to block access to classpath assets
authorThiago H. de Paula Figueiredo <thiago@arsmachina.com.br>
Fri, 23 Nov 2018 18:35:40 +0000 (16:35 -0200)
committerThiago H. de Paula Figueiredo <thiago@arsmachina.com.br>
Fri, 23 Nov 2018 18:35:40 +0000 (16:35 -0200)
tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java
tapestry-core/src/main/java/org/apache/tapestry5/services/ClasspathAssetProtectionRule.java [new file with mode: 0644]
tapestry-core/src/test/app1/AssetProtectionDemo.tml
tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.properties [new file with mode: 0644]
tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.xml [new file with mode: 0644]

index bc306a3..16ab378 100644 (file)
@@ -12,6 +12,9 @@
 
 package org.apache.tapestry5.modules;
 
+import java.util.List;
+import java.util.Map;
+
 import org.apache.tapestry5.SymbolConstants;
 import org.apache.tapestry5.internal.AssetConstants;
 import org.apache.tapestry5.internal.InternalConstants;
@@ -20,6 +23,7 @@ import org.apache.tapestry5.internal.services.assets.*;
 import org.apache.tapestry5.internal.services.messages.ClientLocalizationMessageResource;
 import org.apache.tapestry5.ioc.*;
 import org.apache.tapestry5.ioc.annotations.*;
+import org.apache.tapestry5.ioc.services.ChainBuilder;
 import org.apache.tapestry5.ioc.services.FactoryDefaults;
 import org.apache.tapestry5.ioc.services.SymbolProvider;
 import org.apache.tapestry5.services.*;
@@ -27,8 +31,6 @@ import org.apache.tapestry5.services.assets.*;
 import org.apache.tapestry5.services.javascript.JavaScriptStackSource;
 import org.apache.tapestry5.services.messages.ComponentMessagesSource;
 
-import java.util.Map;
-
 /**
  * @since 5.3
  */
@@ -272,7 +274,8 @@ public class AssetsModule
 
                                                       ClasspathAssetAliasManager classpathAssetAliasManager,
                                                       ResourceStreamer streamer,
-                                                      AssetSource assetSource)
+                                                      AssetSource assetSource,
+                                                      ClasspathAssetProtectionRule classpathAssetProtectionRule)
     {
         Map<String, String> mappings = classpathAssetAliasManager.getMappings();
 
@@ -280,7 +283,7 @@ public class AssetsModule
         {
             String path = mappings.get(folder);
 
-            configuration.add(folder, new ClasspathAssetRequestHandler(streamer, assetSource, path));
+            configuration.add(folder, new ClasspathAssetRequestHandler(streamer, assetSource, path, classpathAssetProtectionRule));
         }
 
         configuration.add(RequestConstants.CONTEXT_FOLDER,
@@ -353,4 +356,23 @@ public class AssetsModule
 
         configuration.add("Asset", assetDispatcher, "before:ComponentEvent");
     }
+    
+    @Primary
+    public static ClasspathAssetProtectionRule buildClasspathAssetProtectionRule(
+            List<ClasspathAssetProtectionRule> rules, ChainBuilder chainBuilder)
+    {
+        return chainBuilder.build(ClasspathAssetProtectionRule.class, rules);
+    }
+    
+    public static void contributeClasspathAssetProtectionRule(
+            OrderedConfiguration<ClasspathAssetProtectionRule> configuration) 
+    {
+        ClasspathAssetProtectionRule classFileRule = (s) -> s.toLowerCase().endsWith(".class");
+        configuration.add("ClassFile", classFileRule);
+        ClasspathAssetProtectionRule propertiesFileRule = (s) -> s.toLowerCase().endsWith(".properties");
+        configuration.add("PropertiesFile", propertiesFileRule);
+        ClasspathAssetProtectionRule xmlFileRule = (s) -> s.toLowerCase().endsWith(".xml");
+        configuration.add("XMLFile", xmlFileRule);
+    }
+    
 }
diff --git a/tapestry-core/src/main/java/org/apache/tapestry5/services/ClasspathAssetProtectionRule.java b/tapestry-core/src/main/java/org/apache/tapestry5/services/ClasspathAssetProtectionRule.java
new file mode 100644 (file)
index 0000000..6f8af44
--- /dev/null
@@ -0,0 +1,33 @@
+// Copyright 2018 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.services;
+
+import org.apache.tapestry5.ioc.annotations.UsesOrderedConfiguration;
+
+/**
+ * Chain-of-responsibility service which defines rules for blocking access to classpath resources 
+ * based on their paths. Access is blocked if any rule says it should be blocked.
+ * 
+ * @see ComponentEventRequestHandler
+ */
+@UsesOrderedConfiguration(ClasspathAssetProtectionRule.class)
+public interface ClasspathAssetProtectionRule
+{
+    /**
+     * Tells whether the access to the resource with this path should be blocked or not.
+     * If this rule doesn't concern the given path, it should return false.
+     */
+    public boolean block(String path);
+}
index e5e99db..e21bc61 100644 (file)
@@ -16,6 +16,9 @@
     <li><a href="${asset:context:META-INF/unavailable2.txt}">unavailable2.txt</a></li>
     <li><a href="${asset:context:AssetProtectionDemo.tml}">tml file</a></li>
     <li><a href="${asset:context:music/MusicDetails.tml}">nested tml file</a></li>
+    <li><a href="/assets/app//services/AppModule.class">.class file in the classpath</a></li>
+    <li><a href="${asset:classpath:/org/apache/tapestry5/integration/app1/fakeconfiguration.properties}">.properties file in the classpath</a></li>
+    <li><a href="${asset:classpath:/org/apache/tapestry5/integration/app1/fakeconfiguration.xml}">.xml file in the classpath</a></li>    
 </ul>
 
 </html>
diff --git a/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.properties b/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.properties
new file mode 100644 (file)
index 0000000..2568df2
--- /dev/null
@@ -0,0 +1 @@
+accessible.by.users=false
\ No newline at end of file
diff --git a/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.xml b/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/fakeconfiguration.xml
new file mode 100644 (file)
index 0000000..709a5aa
--- /dev/null
@@ -0,0 +1 @@
+<accesible-by-users>false</accesible-by-users>
\ No newline at end of file