Hi,
I use the code to protect assets, here is the url:

http://example.com/assets
http://example.com/assets/

the first url, following code works, second URL, if it runs in jetty, the
code works, but if it is under tomcat 6, it still lists files under WEB-INF,
any idea? Thanks,






martijn.list wrote:
> 
> Angelo Chen wrote:
>> how to close access to ".class" and ".tml"?
>> 
> 
> 
> This has been posted to the list multiple times so I another time 
> wouldn't hurt ;)
> 
> 
> I use the following code to whitelist some assets. Access to non white 
> listed assets is denied.
> 
> Add to your application module:
> 
> 
> private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png", 
> "gif", "js", "css", "ico"};
> 
> /*
>   * All the assets that are allowed to be downloaded using the assets 
> service (including files without extension and dirs)
>   */
> private static final Set<String> assetsWhitelist = 
> Collections.synchronizedSet(
>          new HashSet<String>(Arrays.asList(ASSET_WHITE_LIST)));
> 
> public void 
> contributeHttpServletRequestHandler(OrderedConfiguration<HttpServletRequestFilter>
>  
> configuration,
>          @Inject @Value("${access-denied-page}") final String 
> accessDeniedPage)
> {
>      /*
>       * Create a filter that will block access to some assets. The asset 
> service allows access to some assets we do
>       * not want to expose. The asset service will show all files in 
> /assets/ directory and allows you (by default)
>       * to download some files which you do not want to expose.
>       */
>      HttpServletRequestFilter filter = new HttpServletRequestFilter()
>      {
>          public boolean service(HttpServletRequest request, 
> HttpServletResponse response, HttpServletRequestHandler handler)
>          throws IOException
>          {
>              String path = request.getServletPath();
> 
>              if (path.startsWith("/assets") && (!assetsWhitelist.contains(
> 
> StringUtils.lowerCase(FilenameUtils.getExtension(path)))))
>              {
>                  logger.warn("access to asset " + path + " denied");
> 
>                  response.sendRedirect(request.getContextPath() + "/" + 
> accessDeniedPage);
> 
>                  return true;
>              }
> 
>              return handler.service(request, response);
>          }
>      };
> 
>      configuration.add("AssetProtectionFilter", filter , "before:*");
> }
> 
> 
>> 
>> Sergey Didenko wrote:
>>> BTW, it's worth to remind again everyone who is going to publish their
>>> site urls, to close the access to ".class" and ".tml" files .
>>>
>>> On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti <mluse...@gmail.com>
>>> wrote:
>>>> On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula
>>>> Figueiredo<thiag...@gmail.com> wrote:
>>>>
>>>>> Hi!
>>>>>
>>>>> I guess this was already discussed some time ago, but I couldn't find
>>>>> it. :(
>>>>> Anyway, it's been a long time, so let's get it started again. ;)
>>>>>
>>>>> Tapestry is a wonderful framework, but it isn't the best known one
>>>>> around.
>>>>> Sometimes, managers ask us to provide some projects/sites/success
>>>>> stories/etc using it so they can be more confident about Tapestry.
>>>>> There's a
>>>>> Success Stories page in the wiki
>>>>> (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had
>>>>> any
>>>>> edit
>>>>> since 2007-10-05.
>>>>>
>>>>> What about sharing your success stories with us, promoting Tapestry
>>>>> (specially T5)? If the project is a public website, please post the
>>>>> URL
>>>>> here. I think we should have a list of Tapestry-powered sites.
>>>>>
>>>>> Thanks in advance.
>>>> It would be great to have that page more up to date but i remember
>>>> Howard asking for "private" user stories and more then one have
>>>> replied him even personally so i guess if that would make sense too to
>>>> have that stories online.
>>>> Do i remember correctly Howard?
>>>>
>>>> --
>>>> Massimo
>>>> http://meridio.blogspot.com
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>>>> For additional commands, e-mail: users-h...@tapestry.apache.org
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>>> For additional commands, e-mail: users-h...@tapestry.apache.org
>>>
>>>
>>>
>> 
> 
> 
> -- 
> Djigzo open source email encryption
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: users-h...@tapestry.apache.org
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Projects-and-sites-powered-by-Tapestry-tp25348447p25730229.html
Sent from the Tapestry - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org

Reply via email to