tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From drobia...@apache.org
Subject svn commit: r894853 - /tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt
Date Thu, 31 Dec 2009 14:42:15 GMT
Author: drobiazko
Date: Thu Dec 31 14:42:15 2009
New Revision: 894853

URL: http://svn.apache.org/viewvc?rev=894853&view=rev
Log:
TAP5-963: Allow access to static resources (css, js, jpg, jpeg, png, gif) inside the app package

Modified:
    tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt

Modified: tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt?rev=894853&r1=894852&r2=894853&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt (original)
+++ tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt Thu Dec 31 14:42:15 2009
@@ -142,26 +142,117 @@
 
   Securing assets is an important consideration for any web application.  Many assets, such
as hibernate configuration
   files, sit in the classpath and are exposable via the Asset service, which is not desirable.
 To protect these and
-  other sensitive assets, Tapestry provides the AssetProtectionDispatcher.  This dispatcher
sits in front of the
-  AssetDispatcher, the service responsible for streaming assets to the client, and watches
for Asset requests.
+  other sensitive assets, Tapestry provides the {{{../apidocs/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.html}AssetProtectionDispatcher}}.

+  This dispatcher sits in front of the AssetDispatcher, the service responsible for streaming
assets to the client, and watches for Asset requests.
   When an asset request comes in, the protection dispatcher checks for authorization to view
the file against a
-  contributed list of AssetPathAuthorizer implementations.  Determination of whether the
client can view the requested
-  resource is then made based on whether any of the contributed AssetPathAuthorizer implementations
explicitly allowed
-  or denied access to the resource.
+  contributed list of {{{../apidocs/org/apache/tapestry5/services/AssetPathAuthorizer.html}AssetPathAuthorizer}}
implementations.  
+  Determination of whether the client can view the requested resource is then made based
on whether any of the contributed 
+  AssetPathAuthorizer implementations explicitly allowed or denied access to the resource.
 
-  Tapestry provides two AssetPathAuthorizer implemenations "out of the box" to which users
may contribute: RegexAuthorizer
-  and WhitelistAuthorizer.  RegexAuthorizer uses regular expressions to determine assets
which are viewable by the
+  Tapestry provides two AssetPathAuthorizer implemenations "out of the box" to which users
may contribute: 
+  {{{../apidocs/org/apache/tapestry5/internal/services/RegexAuthorizer.html}RegexAuthorizer}}
+  and {{{../apidocs/org/apache/tapestry5/internal/services/WhitelistAuthorizer.html}WhitelistAuthorizer}}.
 
+  RegexAuthorizer uses regular expressions to determine assets which are viewable by the
   client; any assets that match one of its (contributed) regular expressions are authorized.
Anything not matched is
   passed through to the WhitelistAuthorizer.  WhitelistAuthorizer uses an exact-matching
whitelist.  Anything matching
   exactly one its contributions is allowed; all other asset requests are denied.  The default
tapestry configuration
   contributes nothing to WhitelistAuthorizer (access will be denied to all asset requests
passed through to it), and
   explicitly allows access to css, jpg, jpeg, js, png, and gif files associated with tapestry
(tapestry.js, blackbird
   files, date picker files, etc.).  The default contribution also enables access to the css,
jpg, jpeg, js, png, and gif
-  files provided by the popular chenille-kit 3rd party library. The default configuration
denies access to all other
+  files inside any subpackage of the configured app package. The default configuration denies
access to all other
   assets.  To enable access to your application's assets, either contribute a custom AssetPathAnalyzer,
or contribute
   appropriate regular expression or exact path contributions to RegexAuthorizer or WhitelistAuthorizer,
respectively.
-  See TapestryModule.contribteRegexAuthorizer for examples.
+  See TapestryModule.contribteRegexAuthorizer for examples. 
   
+  Imagine you wish to allow access to resources outside the app package. Let 'org.example'
be your app package and 'org.resources' the package 
+  where your assets are located. To allow access to the 'styles.css' file inside 'org.resources'
package you need to contribute to WhitelistAuthorizer.
+  
++----+
+    public class AppModule
+    {        
+        public void contributeWhitelistAuthorizer(final Configuration<String> configuration)

+        {
+            configuration.add("org/resources/styles.css");
+        }
+    }
++---+  
+
+  If you wish to allow access to several resources then a contribution to RegexAuthorizer
is a better alternative.
+
++----+
+    public class AppModule
+    {        
+        public void contributeRegexAuthorizer(final Configuration<String> configuration)

+        {
+        	String pattern = "([^/.]+/)*[^/.]+\\.((css)|(js)|(jpg)|(jpeg)|(png)|(gif))$";
+        	
+        	configuration.add("^org/resources/" + pattern);
+        }
+    }
++---+ 
+
+  And finally if you wish to blacklist a path that is allowed by Tapestry you should write
your own AssetPathAuthorizer. 
+  The following one denies access to all configured paths. Note that 
+  {{{../apidocs/org/apache/tapestry5/services/AssetPathAuthorizer.html#order()}AssetPathAuthorizer.html#order()}}
+  defines the order in which methods {{{../apidocs/org/apache/tapestry5/services/AssetPathAuthorizer.html#accessAllowed(java.lang.String)}AssetPathAuthorizer.html#accessAllowed}}

+  and {{{../apidocs/org/apache/tapestry5/services/AssetPathAuthorizer.html#accessDenied(java.lang.String)}AssetPathAuthorizer.html#accessDenied}}
are invoked. 
+  In this example the method 'AssetPathAuthorizer#accessDenied' is invoked first. If the
current path is to be blacklisted 'AssetPathAuthorizer#accessDenied' returns the value 'true'
and 
+  'AssetPathAuthorizer#accessAllowed' is not invoked. That's why 'AssetPathAuthorizer#accessAllowed'
returns true.
+  
++----+
+    public class BlacklistAuthorizer implements AssetPathAuthorizer 
+    {
+
+        private final Collection<String> configuration;
+
+        public DenyAssetPathAuthorizer(final Collection<String> configuration) 
+        {
+            this.configuration = configuration;
+        }
+
+        public boolean accessAllowed(final String someResourcePath) 
+        {
+            return true;
+        }
+
+        public boolean accessDenied(final String someResourcePath) 
+        {
+            return this.configuration.contains(someResourcePath);
+        }
+
+        public List<Order> order() 
+        {
+            return Arrays.asList(Order.DENY, Order.ALLOW);
+        }
+    }
++---+  
+
+  Then contribute the BlacklistAuthorizer and place it before all other AssetPathAuthorizer.
+
++----+
+    public class AppModule
+    {
+
+        public static void bind(final ServiceBinder binder) 
+        {
+            binder.bind(AssetPathAuthorizer.class, BlacklistAuthorizer.class).withId("BlacklistAuthorizer");
+        }
+        
+        public void contributeBlacklistAuthorizer(final Configuration<String> configuration)

+        {
+            configuration.add("org/example/pages/secret.jpg");
+        }
+        
+        public static void contributeAssetProtectionDispatcher(
+                OrderedConfiguration<AssetPathAuthorizer> configuration,
+        	
+                @InjectService("BlacklistAuthorizer") AssetPathAuthorizer blacklist)
+        {
+                configuration.add("blacklist",blacklist,"before:*");
+        }
+    }
++---+  
+
 
 Performance Notes
 



Mime
View raw message