Re: [T5] Security of files in the classpath

Sat, 15 Aug 2009 04:34:34 -0700 

A follow up:

I forgot to add gif
private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png", "gif", "js", "css", "ico"}; 

/*
* All the assets that are allowed to be downloaded using the assets service (including files without extension and dirs) 
 */
private static final Set<String> assetsWhitelist = Collections.synchronizedSet( 
        new HashSet<String>(Arrays.asList(ASSET_WHITE_LIST)));


martijn.list wrote:

Markus Joschko wrote:

So the ResourceDigestGenerator obiously doesn't protect the class or
tml files for me here.
I am currently thinking of taking the webapplication down as there is
no way of securing passwords in this set4ting.

Is there a workaround?
I use a HttpServletRequestFilter to whitelist certain assets. I'm still on 5.0.18 so I do not know whether it works with 5.1: 

/*
* All the assets that are allowed to be downloaded using the assets service (including files without extension and dirs) 
 */
private static final HashSet<String> assetsWhitelist = new HashSet<String>(Arrays.asList("jpg", "jpeg", "png", "js", "css", "ico"));
public void contributeHttpServletRequestHandler(OrderedConfiguration<HttpServletRequestFilter> configuration, @Inject @Value("${access-denied-page}") final String accessDeniedPage) 
{
    /*
* Create a filter that will block access to some assets. The asset service allows access to some assets we do * not want to expose. The asset service will show all files in /assets/ directory and allows you (by default) 
     * to download some files which you do not want to expose.
     */
    HttpServletRequestFilter filter = new HttpServletRequestFilter()
    {
public boolean service(HttpServletRequest request, HttpServletResponse response, HttpServletRequestHandler handler) 
        throws IOException
        {
            String path = request.getServletPath();

            if (path.startsWith("/assets") && (!assetsWhitelist.contains(

StringUtils.lowerCase(FilenameUtils.getExtension(path)))))
            {
response.sendRedirect(request.getContextPath() + "/" + accessDeniedPage); 

                return true;
            }

            return handler.service(request, response);
        }
    };

    configuration.add("AssetProtectionFilter", filter , "before:*");
}

Kind regards,

Martijn Brinkers




--
Djigzo open source email encryption

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org

Reply via email to