Thanks. In the meantime I found an old posting which basically
contains the same solution.
I'll add it immediately. However I think that should be adressed by
tapestry in a hotfix released,
as every web developer assumes that the files in WEB-INF are save.
On Sat, Aug 15, 2009 at 1:34 PM, martijn.list<martijn.l...@gmail.com> wrote:
> A follow up:
>
> I forgot to add gif
>
> private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png",
> "gif", "js", "css", "ico"};
>
> /*
> * All the assets that are allowed to be downloaded using the assets service
> (including files without extension and dirs)
> */
> private static final Set<String> assetsWhitelist =
> Collections.synchronizedSet(
> new HashSet<String>(Arrays.asList(ASSET_WHITE_LIST)));
>
>
> martijn.list wrote:
>>
>> Markus Joschko wrote:
>>>
>>> So the ResourceDigestGenerator obiously doesn't protect the class or
>>> tml files for me here.
>>> I am currently thinking of taking the webapplication down as there is
>>> no way of securing passwords in this set4ting.
>>>
>>> Is there a workaround?
>>>
>>
>> I use a HttpServletRequestFilter to whitelist certain assets. I'm still on
>> 5.0.18 so I do not know whether it works with 5.1:
>>
>> /*
>> * All the assets that are allowed to be downloaded using the assets
>> service (including files without extension and dirs)
>> */
>> private static final HashSet<String> assetsWhitelist = new
>> HashSet<String>(Arrays.asList("jpg", "jpeg", "png", "js", "css", "ico"));
>>
>> public void
>> contributeHttpServletRequestHandler(OrderedConfiguration<HttpServletRequestFilter>
>> configuration,
>> �...@inject @Value("${access-denied-page}") final String
>> accessDeniedPage)
>> {
>> /*
>> * Create a filter that will block access to some assets. The asset
>> service allows access to some assets we do
>> * not want to expose. The asset service will show all files in
>> /assets/ directory and allows you (by default)
>> * to download some files which you do not want to expose.
>> */
>> HttpServletRequestFilter filter = new HttpServletRequestFilter()
>> {
>> public boolean service(HttpServletRequest request,
>> HttpServletResponse response, HttpServletRequestHandler handler)
>> throws IOException
>> {
>> String path = request.getServletPath();
>>
>> if (path.startsWith("/assets") && (!assetsWhitelist.contains(
>>
>> StringUtils.lowerCase(FilenameUtils.getExtension(path)))))
>> {
>> response.sendRedirect(request.getContextPath() + "/" +
>> accessDeniedPage);
>>
>> return true;
>> }
>>
>> return handler.service(request, response);
>> }
>> };
>>
>> configuration.add("AssetProtectionFilter", filter , "before:*");
>> }
>>
>> Kind regards,
>>
>> Martijn Brinkers
>>
>
>
> --
> Djigzo open source email encryption
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: users-h...@tapestry.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
