Hi Martijn, Thanks for sharing, I tried the exact code, here is the problem:
http://example.com/assets/ under tomcat, this still shows everything under WEB-INF, but it works under jetty, any idea? martijn.list wrote: > > A solution to this problem has been posted multiple times. It has even > been posted in this thread but I'll post it again > > > > I use the following code to whitelist some assets. Access to non white > listed assets is denied. > > Add to your application module: > > > private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png", > "gif", "js", "css", "ico"}; > > /* > * All the assets that are allowed to be downloaded using the assets > service (including files without extension and dirs) > */ > private static final Set<String> assetsWhitelist = > Collections.synchronizedSet( > new HashSet<String>(Arrays.asList(ASSET_WHITE_LIST))); > > public void > contributeHttpServletRequestHandler(OrderedConfiguration<HttpServletRequestFilter> > > configuration, > @Inject @Value("${access-denied-page}") final String > accessDeniedPage) > { > /* > * Create a filter that will block access to some assets. The asset > service allows access to some assets we do > * not want to expose. The asset service will show all files in > /assets/ directory and allows you (by default) > * to download some files which you do not want to expose. > */ > HttpServletRequestFilter filter = new HttpServletRequestFilter() > { > public boolean service(HttpServletRequest request, > HttpServletResponse response, HttpServletRequestHandler handler) > throws IOException > { > String path = request.getServletPath(); > > if (path.startsWith("/assets") && (!assetsWhitelist.contains( > > StringUtils.lowerCase(FilenameUtils.getExtension(path))))) > { > logger.warn("access to asset " + path + " denied"); > > response.sendRedirect(request.getContextPath() + "/" + > accessDeniedPage); > > return true; > } > > return handler.service(request, response); > } > }; > > configuration.add("AssetProtectionFilter", filter , "before:*"); > } > > > Angelo Chen wrote: >> Hi, >> I use the code to protect assets, here is the url: >> >> http://example.com/assets >> http://example.com/assets/ >> >> the first url, following code works, second URL, if it runs in jetty, the >> code works, but if it is under tomcat 6, it still lists files under >> WEB-INF, >> any idea? Thanks, >> >> >> >> >> >> >> martijn.list wrote: >>> Angelo Chen wrote: >>>> how to close access to ".class" and ".tml"? >>>> >>> >>> This has been posted to the list multiple times so I another time >>> wouldn't hurt ;) >>> >>> >>> I use the following code to whitelist some assets. Access to non white >>> listed assets is denied. >>> >>> Add to your application module: >>> >>> >>> private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png", >>> "gif", "js", "css", "ico"}; >>> >>> /* >>> * All the assets that are allowed to be downloaded using the assets >>> service (including files without extension and dirs) >>> */ >>> private static final Set<String> assetsWhitelist = >>> Collections.synchronizedSet( >>> new HashSet<String>(Arrays.asList(ASSET_WHITE_LIST))); >>> >>> public void >>> contributeHttpServletRequestHandler(OrderedConfiguration<HttpServletRequestFilter> >>> >>> configuration, >>> @Inject @Value("${access-denied-page}") final String >>> accessDeniedPage) >>> { >>> /* >>> * Create a filter that will block access to some assets. The asset >>> service allows access to some assets we do >>> * not want to expose. The asset service will show all files in >>> /assets/ directory and allows you (by default) >>> * to download some files which you do not want to expose. >>> */ >>> HttpServletRequestFilter filter = new HttpServletRequestFilter() >>> { >>> public boolean service(HttpServletRequest request, >>> HttpServletResponse response, HttpServletRequestHandler handler) >>> throws IOException >>> { >>> String path = request.getServletPath(); >>> >>> if (path.startsWith("/assets") && >>> (!assetsWhitelist.contains( >>> >>> StringUtils.lowerCase(FilenameUtils.getExtension(path))))) >>> { >>> logger.warn("access to asset " + path + " denied"); >>> >>> response.sendRedirect(request.getContextPath() + "/" + >>> accessDeniedPage); >>> >>> return true; >>> } >>> >>> return handler.service(request, response); >>> } >>> }; >>> >>> configuration.add("AssetProtectionFilter", filter , "before:*"); >>> } >>> >>> >>>> Sergey Didenko wrote: >>>>> BTW, it's worth to remind again everyone who is going to publish their >>>>> site urls, to close the access to ".class" and ".tml" files . >>>>> >>>>> On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti <mluse...@gmail.com> >>>>> wrote: >>>>>> On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula >>>>>> Figueiredo<thiag...@gmail.com> wrote: >>>>>> >>>>>>> Hi! >>>>>>> >>>>>>> I guess this was already discussed some time ago, but I couldn't >>>>>>> find >>>>>>> it. :( >>>>>>> Anyway, it's been a long time, so let's get it started again. ;) >>>>>>> >>>>>>> Tapestry is a wonderful framework, but it isn't the best known one >>>>>>> around. >>>>>>> Sometimes, managers ask us to provide some projects/sites/success >>>>>>> stories/etc using it so they can be more confident about Tapestry. >>>>>>> There's a >>>>>>> Success Stories page in the wiki >>>>>>> (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had >>>>>>> any >>>>>>> edit >>>>>>> since 2007-10-05. >>>>>>> >>>>>>> What about sharing your success stories with us, promoting Tapestry >>>>>>> (specially T5)? If the project is a public website, please post the >>>>>>> URL >>>>>>> here. I think we should have a list of Tapestry-powered sites. >>>>>>> >>>>>>> Thanks in advance. >>>>>> It would be great to have that page more up to date but i remember >>>>>> Howard asking for "private" user stories and more then one have >>>>>> replied him even personally so i guess if that would make sense too >>>>>> to >>>>>> have that stories online. >>>>>> Do i remember correctly Howard? >>>>>> >>>>>> -- >>>>>> Massimo >>>>>> http://meridio.blogspot.com >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>>>>> For additional commands, e-mail: users-h...@tapestry.apache.org >>>>>> >>>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>>>> For additional commands, e-mail: users-h...@tapestry.apache.org >>>>> >>>>> >>>>> >>> >>> -- >>> Djigzo open source email encryption >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org >>> For additional commands, e-mail: users-h...@tapestry.apache.org >>> >>> >>> >> > > > -- > Djigzo open source email encryption > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > > -- View this message in context: http://www.nabble.com/Projects-and-sites-powered-by-Tapestry-tp25348447p25732434.html Sent from the Tapestry - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
