Nabble - Tapestry - Dev

[jira] Commented: (TAP5-815) Asset dispatcher allows any file inside the webapp visible and downloadable

2009-11-11T01:42:39Z

[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12776391#action_12776391 ]

J le Roux commented on TAP5-815:
--------------------------------

I can confirm that it works with 5.0.19-SNAPSHOT (svn version 834439, https://svn.apache.org/repos/asf/tapestry/tapestry5/branches/5.0).

Thanks!

> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Re: svn commit: r834151 - in /tapestry/tapestry5/trunk: src/site/apt/guide/ tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ tapestry-core/src/main/java/org/apache/tapestry5/services/ tapestry-core/src/test/java/org/apache/tapestry

2009-11-10T11:51:02Z

In this case it's about requests to
http://my.site/somecontext/assets/ctx/something/WEB-INF/ and similar.
since accessing those via the asset dispatcher is forbidden, regardless
whether the request is for an existing asset or not, I guess returning
403 is ok.

Uli

Andreas Andreou schrieb:

> ok, well, all i'm saying is it should return 404 in all those cases
>
> Last time i checked that's what jetty/tomcat are doing for requests such as
> http://my.site/WEB-INF/ (but i'm not sure if that's in the servlet
> specs or not)
>
> On Tue, Nov 10, 2009 at 8:03 PM, Ulrich Stärk <uli@...> wrote:
>> That's because the AssetProtectionDispatcher doesn't know whether the
>> resource actually exists. It just checks the requested url against a
>> whitelist consisting of allowed patterns.
>>
>> Uli
>>
>> Andreas Andreou schrieb:
>>> Interesting... So, why then is it returning 403-forbidden for
>>> something that doesn't exist?
>>>
>>> Anyone knows/remembers the reasoning?
>>>
>>>
>>> On Tue, Nov 10, 2009 at 6:43 PM, Ulrich Stärk <uli@...> wrote:
>>>> since it returns 403 also on non-existent resources, an attacker wouldn't
>>>> know whether the resource he requested actually exists.
>>>>
>>>> Am 10.11.2009 17:23 schrieb Andreas Andreou:
>>>>> hmm, i'd argue it needs to return a 404 error though, so as not to give
>>>>> attackers a way to know which libraries/jars/resources exist...
>>>>>
>>>>> On Tue, Nov 10, 2009 at 2:52 PM, Ulrich Stärk <uli@...> wrote:
>>>>>> ust tested it in trunk, works as expected: Trying to access templates
>>>>>> and
>>>>>> other stuff, as well as directory listings result in a 403. An
>>>>>> integration
>>>>>> test making sure that the protection isn't accidentally removed again
>>>>>> would
>>>>>> be nice though.
>>>>>>
>>>>>> Uli
>>>>>>
>>>>>> Am 10.11.2009 11:28 schrieb Massimo Lusetti:
>>>>>>> On Mon, Nov 9, 2009 at 6:23 PM, <robertdzeigler@...> wrote:
>>>>>>>
>>>>>>>> Author: robertdzeigler
>>>>>>>> Date: Mon Nov 9 17:23:10 2009
>>>>>>>> New Revision: 834151
>>>>>>>>
>>>>>>>> URL: http://svn.apache.org/viewvc?rev=834151&view=rev
>>>>>>>> Log:
>>>>>>>> TAP5-815: Asset dispatcher allows any file inside the webapp visible
>>>>>>>> and
>>>>>>>> downloadable (5.2 branch)
>>>>>>> Looking for testing this one soon but thanks for the work! Especially
>>>>>>> for (back)porting to the other two dev branch.
>>>>>>>
>>>>>>> Cheers
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: dev-unsubscribe@...
>>>>>> For additional commands, e-mail: dev-help@...
>>>>>>
>>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe@...
>>>> For additional commands, e-mail: dev-help@...
>>>>
>>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@...
>> For additional commands, e-mail: dev-help@...
>>
>>
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

Re: svn commit: r834151 - in /tapestry/tapestry5/trunk: src/site/apt/guide/ tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ tapestry-core/src/main/java/org/apache/tapestry5/services/ tapestry-core/src/test/java/org/apache/tapestry

2009-11-10T11:07:10Z

ok, well, all i'm saying is it should return 404 in all those cases

Last time i checked that's what jetty/tomcat are doing for requests such as
http://my.site/WEB-INF/ (but i'm not sure if that's in the servlet
specs or not)

On Tue, Nov 10, 2009 at 8:03 PM, Ulrich Stärk <uli@...> wrote:

> That's because the AssetProtectionDispatcher doesn't know whether the
> resource actually exists. It just checks the requested url against a
> whitelist consisting of allowed patterns.
>
> Uli
>
> Andreas Andreou schrieb:
>>
>> Interesting... So, why then is it returning 403-forbidden for
>> something that doesn't exist?
>>
>> Anyone knows/remembers the reasoning?
>>
>>
>> On Tue, Nov 10, 2009 at 6:43 PM, Ulrich Stärk <uli@...> wrote:
>>>
>>> since it returns 403 also on non-existent resources, an attacker wouldn't
>>> know whether the resource he requested actually exists.
>>>
>>> Am 10.11.2009 17:23 schrieb Andreas Andreou:
>>>>
>>>> hmm, i'd argue it needs to return a 404 error though, so as not to give
>>>> attackers a way to know which libraries/jars/resources exist...
>>>>
>>>> On Tue, Nov 10, 2009 at 2:52 PM, Ulrich Stärk <uli@...> wrote:
>>>>>
>>>>> ust tested it in trunk, works as expected: Trying to access templates
>>>>> and
>>>>> other stuff, as well as directory listings result in a 403. An
>>>>> integration
>>>>> test making sure that the protection isn't accidentally removed again
>>>>> would
>>>>> be nice though.
>>>>>
>>>>> Uli
>>>>>
>>>>> Am 10.11.2009 11:28 schrieb Massimo Lusetti:
>>>>>>
>>>>>> On Mon, Nov 9, 2009 at 6:23 PM, <robertdzeigler@...> wrote:
>>>>>>
>>>>>>> Author: robertdzeigler
>>>>>>> Date: Mon Nov 9 17:23:10 2009
>>>>>>> New Revision: 834151
>>>>>>>
>>>>>>> URL: http://svn.apache.org/viewvc?rev=834151&view=rev
>>>>>>> Log:
>>>>>>> TAP5-815: Asset dispatcher allows any file inside the webapp visible
>>>>>>> and
>>>>>>> downloadable (5.2 branch)
>>>>>>
>>>>>> Looking for testing this one soon but thanks for the work! Especially
>>>>>> for (back)porting to the other two dev branch.
>>>>>>
>>>>>> Cheers
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: dev-unsubscribe@...
>>>>> For additional commands, e-mail: dev-help@...
>>>>>
>>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@...
>>> For additional commands, e-mail: dev-help@...
>>>
>>>
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@...
> For additional commands, e-mail: dev-help@...
>
>

--
Andreas Andreou - andyhot@... - http://blog.andyhot.gr
Tapestry / Tacos developer
Open Source / JEE Consulting

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

[jira] Updated: (TAP5-785) Logfiles contain many warnings that something is wrong with Blackbird cookies

2009-11-10T10:33:28Z

[ https://issues.apache.org/jira/browse/TAP5-785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andreas Fink updated TAP5-785:
------------------------------

Comment: was deleted

(was: -)

> Logfiles contain many warnings that something is wrong with Blackbird cookies
> -----------------------------------------------------------------------------
>
> Key: TAP5-785
> URL: https://issues.apache.org/jira/browse/TAP5-785
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: Andy Pahne
> Attachments: blackbird.js.patch
>
>
> Environment:
> - Tapestry 5.1.0.5,
> - running in maven jetty plugin
> 2009-07-16 10:42:03.629::INFO: Started SelectChannelConnector@...:7080
> [INFO] Started Jetty Server
> 2009-07-16 10:43:47.385::WARN: java.lang.IllegalArgumentException: Cookie name ""size": 0" is a reserved token
> 2009-07-16 10:43:47.401::WARN: java.lang.IllegalArgumentException: Cookie name ""load": null}" is a reserved token
> 2009-07-16 10:43:47.401::WARN: java.lang.IllegalArgumentException: Cookie name ""size": 0" is a reserved token
> 2009-07-16 10:43:47.401::WARN: java.lang.IllegalArgumentException: Cookie name ""load": null}" is a reserved token
> 2009-07-16 10:43:49.510::WARN: java.lang.IllegalArgumentException: Cookie name ""size": 0" is a reserved token
> 2009-07-16 10:43:49.510::WARN: java.lang.IllegalArgumentException: Cookie name ""load": null}" is a reserved token
> 2009-07-16 10:43:49,525 INFO (CommonsLoggingOutput.java:51) - DWR Version 2.0.5 starting.
> 2009-07-16 10:43:49,525 INFO (CommonsLoggingOutput.java:51) - - Servlet Engine: jetty/6.1.19
> 2009-07-16 10:43:49,525 INFO (CommonsLoggingOutput.java:51) - - Java Version: 1.6.0_12
> 2009-07-16 10:43:49,525 INFO (CommonsLoggingOutput.java:51) - - Java Vendor: Sun Microsystems Inc.
> Those are the cookies set (besides JSESSIONID):
> Name blackbird
> Val {"pos": 1, "size": 0, "load": null}
> Host localhost
> Path /tb/search/
> Gültig bis Thu, 30 Jul 2009 08:43:50 GMT
> Name blackbird
> Val {"pos": 1, "size": 0, "load": null}
> Host localhost
> Path /tb/
> Gültig bis Thu, 16 Jul 2009 11:26:09 GMT

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (TAP5-785) Logfiles contain many warnings that something is wrong with Blackbird cookies

2009-11-10T10:31:28Z

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (TAP5-785) Logfiles contain many warnings that something is wrong with Blackbird cookies

2009-11-10T10:31:28Z

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Re: svn commit: r834151 - in /tapestry/tapestry5/trunk: src/site/apt/guide/ tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ tapestry-core/src/main/java/org/apache/tapestry5/services/ tapestry-core/src/test/java/org/apache/tapestry

2009-11-10T10:03:43Z

That's because the AssetProtectionDispatcher doesn't know whether the
resource actually exists. It just checks the requested url against a
whitelist consisting of allowed patterns.

Uli

Andreas Andreou schrieb:

> Interesting... So, why then is it returning 403-forbidden for
> something that doesn't exist?
>
> Anyone knows/remembers the reasoning?
>
>
> On Tue, Nov 10, 2009 at 6:43 PM, Ulrich Stärk <uli@...> wrote:
>> since it returns 403 also on non-existent resources, an attacker wouldn't
>> know whether the resource he requested actually exists.
>>
>> Am 10.11.2009 17:23 schrieb Andreas Andreou:
>>> hmm, i'd argue it needs to return a 404 error though, so as not to give
>>> attackers a way to know which libraries/jars/resources exist...
>>>
>>> On Tue, Nov 10, 2009 at 2:52 PM, Ulrich Stärk <uli@...> wrote:
>>>> ust tested it in trunk, works as expected: Trying to access templates and
>>>> other stuff, as well as directory listings result in a 403. An
>>>> integration
>>>> test making sure that the protection isn't accidentally removed again
>>>> would
>>>> be nice though.
>>>>
>>>> Uli
>>>>
>>>> Am 10.11.2009 11:28 schrieb Massimo Lusetti:
>>>>> On Mon, Nov 9, 2009 at 6:23 PM, <robertdzeigler@...> wrote:
>>>>>
>>>>>> Author: robertdzeigler
>>>>>> Date: Mon Nov 9 17:23:10 2009
>>>>>> New Revision: 834151
>>>>>>
>>>>>> URL: http://svn.apache.org/viewvc?rev=834151&view=rev
>>>>>> Log:
>>>>>> TAP5-815: Asset dispatcher allows any file inside the webapp visible
>>>>>> and
>>>>>> downloadable (5.2 branch)
>>>>> Looking for testing this one soon but thanks for the work! Especially
>>>>> for (back)porting to the other two dev branch.
>>>>>
>>>>> Cheers
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe@...
>>>> For additional commands, e-mail: dev-help@...
>>>>
>>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@...
>> For additional commands, e-mail: dev-help@...
>>
>>
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

Re: svn commit: r834151 - in /tapestry/tapestry5/trunk: src/site/apt/guide/ tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ tapestry-core/src/main/java/org/apache/tapestry5/services/ tapestry-core/src/test/java/org/apache/tapestry

2009-11-10T08:59:18Z

Interesting... So, why then is it returning 403-forbidden for
something that doesn't exist?

Anyone knows/remembers the reasoning?

On Tue, Nov 10, 2009 at 6:43 PM, Ulrich Stärk <uli@...> wrote:

> since it returns 403 also on non-existent resources, an attacker wouldn't
> know whether the resource he requested actually exists.
>
> Am 10.11.2009 17:23 schrieb Andreas Andreou:
>>
>> hmm, i'd argue it needs to return a 404 error though, so as not to give
>> attackers a way to know which libraries/jars/resources exist...
>>
>> On Tue, Nov 10, 2009 at 2:52 PM, Ulrich Stärk <uli@...> wrote:
>>>
>>> ust tested it in trunk, works as expected: Trying to access templates and
>>> other stuff, as well as directory listings result in a 403. An
>>> integration
>>> test making sure that the protection isn't accidentally removed again
>>> would
>>> be nice though.
>>>
>>> Uli
>>>
>>> Am 10.11.2009 11:28 schrieb Massimo Lusetti:
>>>>
>>>> On Mon, Nov 9, 2009 at 6:23 PM, <robertdzeigler@...> wrote:
>>>>
>>>>> Author: robertdzeigler
>>>>> Date: Mon Nov 9 17:23:10 2009
>>>>> New Revision: 834151
>>>>>
>>>>> URL: http://svn.apache.org/viewvc?rev=834151&view=rev
>>>>> Log:
>>>>> TAP5-815: Asset dispatcher allows any file inside the webapp visible
>>>>> and
>>>>> downloadable (5.2 branch)
>>>>
>>>> Looking for testing this one soon but thanks for the work! Especially
>>>> for (back)porting to the other two dev branch.
>>>>
>>>> Cheers
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@...
>>> For additional commands, e-mail: dev-help@...
>>>
>>>
>>
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@...
> For additional commands, e-mail: dev-help@...
>
>

Re: svn commit: r834151 - in /tapestry/tapestry5/trunk: src/site/apt/guide/ tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ tapestry-core/src/main/java/org/apache/tapestry5/services/ tapestry-core/src/test/java/org/apache/tapestry

2009-11-10T08:43:34Z

since it returns 403 also on non-existent resources, an attacker wouldn't know whether the resource
he requested actually exists.

Am 10.11.2009 17:23 schrieb Andreas Andreou:

> hmm, i'd argue it needs to return a 404 error though, so as not to give
> attackers a way to know which libraries/jars/resources exist...
>
> On Tue, Nov 10, 2009 at 2:52 PM, Ulrich Stärk <uli@...> wrote:
>> ust tested it in trunk, works as expected: Trying to access templates and
>> other stuff, as well as directory listings result in a 403. An integration
>> test making sure that the protection isn't accidentally removed again would
>> be nice though.
>>
>> Uli
>>
>> Am 10.11.2009 11:28 schrieb Massimo Lusetti:
>>> On Mon, Nov 9, 2009 at 6:23 PM, <robertdzeigler@...> wrote:
>>>
>>>> Author: robertdzeigler
>>>> Date: Mon Nov 9 17:23:10 2009
>>>> New Revision: 834151
>>>>
>>>> URL: http://svn.apache.org/viewvc?rev=834151&view=rev
>>>> Log:
>>>> TAP5-815: Asset dispatcher allows any file inside the webapp visible and
>>>> downloadable (5.2 branch)
>>> Looking for testing this one soon but thanks for the work! Especially
>>> for (back)porting to the other two dev branch.
>>>
>>> Cheers
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@...
>> For additional commands, e-mail: dev-help@...
>>
>>
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

[jira] Updated: (TAP5-785) Logfiles contain many warnings that something is wrong with Blackbird cookies

2009-11-10T08:39:28Z

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Issue Comment Edited: (TAP5-785) Logfiles contain many warnings that something is wrong with Blackbird cookies

2009-11-10T08:39:28Z

[ https://issues.apache.org/jira/browse/TAP5-785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12775932#action_12775932 ]

Andreas Fink edited comment on TAP5-785 at 11/10/09 4:39 PM:
-------------------------------------------------------------

In the RFC http://www.w3.org/Protocols/rfc2109/rfc2109 - "10.1.3 Punctuation" - it says the value (json-data) can be quoted to allow whitespace and waht not.
I patched tapestries' (5.1.0.5) blackbird.js and configured the patched version like described in http://tapestryjava.blogspot.com/2009/10/tapestry-51-and-ie-8-customizing.html ... it works!
See attachment "blackbird.js.patch".

was (Author: alma):
In the RFC http://www.w3.org/Protocols/rfc2109/rfc2109 - "10.1.3 Punctuation" - it says the value (json-data) can be quoted to allow whitespace and waht not.
I patched tapestries' (5.1.0.5) blackbird.js and configured the patched version like described in http://tapestryjava.blogspot.com/2009/10/tapestry-51-and-ie-8-customizing.html ... it works!
See attached patch.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (TAP5-785) Logfiles contain many warnings that something is wrong with Blackbird cookies

2009-11-10T08:39:27Z

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (TAP5-785) Logfiles contain many warnings that something is wrong with Blackbird cookies

2009-11-10T08:37:27Z

[ https://issues.apache.org/jira/browse/TAP5-785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12775932#action_12775932 ]

Andreas Fink commented on TAP5-785:
-----------------------------------

In the RFC http://www.w3.org/Protocols/rfc2109/rfc2109 - "10.1.3 Punctuation" - it says the value (json-data) can be quoted to allow whitespace and waht not.
I patched tapestries' (5.1.0.5) blackbird.js and configured the patched version like described in http://tapestryjava.blogspot.com/2009/10/tapestry-51-and-ie-8-customizing.html ... it works!
See attached patch.

> Logfiles contain many warnings that something is wrong with Blackbird cookies
> -----------------------------------------------------------------------------
>
> Key: TAP5-785
> URL: https://issues.apache.org/jira/browse/TAP5-785
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: Andy Pahne
>
> Environment:
> - Tapestry 5.1.0.5,
> - running in maven jetty plugin
> 2009-07-16 10:42:03.629::INFO: Started SelectChannelConnector@...:7080
> [INFO] Started Jetty Server
> 2009-07-16 10:43:47.385::WARN: java.lang.IllegalArgumentException: Cookie name ""size": 0" is a reserved token
> 2009-07-16 10:43:47.401::WARN: java.lang.IllegalArgumentException: Cookie name ""load": null}" is a reserved token
> 2009-07-16 10:43:47.401::WARN: java.lang.IllegalArgumentException: Cookie name ""size": 0" is a reserved token
> 2009-07-16 10:43:47.401::WARN: java.lang.IllegalArgumentException: Cookie name ""load": null}" is a reserved token
> 2009-07-16 10:43:49.510::WARN: java.lang.IllegalArgumentException: Cookie name ""size": 0" is a reserved token
> 2009-07-16 10:43:49.510::WARN: java.lang.IllegalArgumentException: Cookie name ""load": null}" is a reserved token
> 2009-07-16 10:43:49,525 INFO (CommonsLoggingOutput.java:51) - DWR Version 2.0.5 starting.
> 2009-07-16 10:43:49,525 INFO (CommonsLoggingOutput.java:51) - - Servlet Engine: jetty/6.1.19
> 2009-07-16 10:43:49,525 INFO (CommonsLoggingOutput.java:51) - - Java Version: 1.6.0_12
> 2009-07-16 10:43:49,525 INFO (CommonsLoggingOutput.java:51) - - Java Vendor: Sun Microsystems Inc.
> Those are the cookies set (besides JSESSIONID):
> Name blackbird
> Val {"pos": 1, "size": 0, "load": null}
> Host localhost
> Path /tb/search/
> Gültig bis Thu, 30 Jul 2009 08:43:50 GMT
> Name blackbird
> Val {"pos": 1, "size": 0, "load": null}
> Host localhost
> Path /tb/
> Gültig bis Thu, 16 Jul 2009 11:26:09 GMT

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Re: svn commit: r834151 - in /tapestry/tapestry5/trunk: src/site/apt/guide/ tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ tapestry-core/src/main/java/org/apache/tapestry5/services/ tapestry-core/src/test/java/org/apache/tapestry

2009-11-10T08:23:19Z

hmm, i'd argue it needs to return a 404 error though, so as not to give
attackers a way to know which libraries/jars/resources exist...

On Tue, Nov 10, 2009 at 2:52 PM, Ulrich Stärk <uli@...> wrote:

> ust tested it in trunk, works as expected: Trying to access templates and
> other stuff, as well as directory listings result in a 403. An integration
> test making sure that the protection isn't accidentally removed again would
> be nice though.
>
> Uli
>
> Am 10.11.2009 11:28 schrieb Massimo Lusetti:
>>
>> On Mon, Nov 9, 2009 at 6:23 PM, <robertdzeigler@...> wrote:
>>
>>> Author: robertdzeigler
>>> Date: Mon Nov 9 17:23:10 2009
>>> New Revision: 834151
>>>
>>> URL: http://svn.apache.org/viewvc?rev=834151&view=rev
>>> Log:
>>> TAP5-815: Asset dispatcher allows any file inside the webapp visible and
>>> downloadable (5.2 branch)
>>
>> Looking for testing this one soon but thanks for the work! Especially
>> for (back)porting to the other two dev branch.
>>
>> Cheers
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@...
> For additional commands, e-mail: dev-help@...
>
>

[jira] Created: (TAP5-923) Injeting Tapestry Services to Spring Beans is completely undocumented

2009-11-10T08:11:29Z

Injeting Tapestry Services to Spring Beans is completely undocumented
---------------------------------------------------------------------

Key: TAP5-923
URL: https://issues.apache.org/jira/browse/TAP5-923
Project: Tapestry 5
Issue Type: Bug
Components: documentation, tapestry-spring
Affects Versions: 5.1.0.5
Reporter: Michael Wyraz
Priority: Critical

The documentation says that it is possible to inject tapestry services into spring beans but does not state HOW. It's almost impossible to find any information about this in the web. After hours of searching I found in a post that it works with:

@Inject @Autowired
privateService myService;

PLEASE! Add this to the documentation since without only half of tapestry-spring is usable!

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Re: svn commit: r834151 - in /tapestry/tapestry5/trunk: src/site/apt/guide/ tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ tapestry-core/src/main/java/org/apache/tapestry5/services/ tapestry-core/src/test/java/org/apache/tapestry

2009-11-10T04:52:19Z

ust tested it in trunk, works as expected: Trying to access templates and other stuff, as well as
directory listings result in a 403. An integration test making sure that the protection isn't
accidentally removed again would be nice though.

Uli

Am 10.11.2009 11:28 schrieb Massimo Lusetti:

> On Mon, Nov 9, 2009 at 6:23 PM, <robertdzeigler@...> wrote:
>
>> Author: robertdzeigler
>> Date: Mon Nov 9 17:23:10 2009
>> New Revision: 834151
>>
>> URL: http://svn.apache.org/viewvc?rev=834151&view=rev
>> Log:
>> TAP5-815: Asset dispatcher allows any file inside the webapp visible and downloadable (5.2 branch)
>
> Looking for testing this one soon but thanks for the work! Especially
> for (back)porting to the other two dev branch.
>
> Cheers

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

Re: svn commit: r834151 - in /tapestry/tapestry5/trunk: src/site/apt/guide/ tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ tapestry-core/src/main/java/org/apache/tapestry5/services/ tapestry-core/src/test/java/org/apache/tapestry

2009-11-10T02:28:46Z

On Mon, Nov 9, 2009 at 6:23 PM, <robertdzeigler@...> wrote:

> Author: robertdzeigler
> Date: Mon Nov 9 17:23:10 2009
> New Revision: 834151
>
> URL: http://svn.apache.org/viewvc?rev=834151&view=rev
> Log:
> TAP5-815: Asset dispatcher allows any file inside the webapp visible and downloadable (5.2 branch)

Looking for testing this one soon but thanks for the work! Especially
for (back)porting to the other two dev branch.

Cheers
--
Massimo
http://meridio.blogspot.com

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

[jira] Created: (TAP5-922) Allow null in LinkImpl.addParameter

2009-11-09T16:31:32Z

Allow null in LinkImpl.addParameter
-----------------------------------

Key: TAP5-922
URL: https://issues.apache.org/jira/browse/TAP5-922
Project: Tapestry 5
Issue Type: Bug
Components: tapestry-core
Affects Versions: 5.1.0.5
Reporter: Angelo Chen
Priority: Minor

I have a query string that I need to append to a Link object, the query string is:

?gender=M&country=

Link lnk = renderLinkSource.createPageRenderLink("SamplePage");

lnk.addParameter("gender", "M"); // this works

lnk.addParameter("country", null);

above line failed with :

RequestExceptionHandler Unexpected runtime exception: Parameter value was null or contained only whitespace.

A null parameter should be valid in a URL, sometimes it is needed to have Google Analytics pick up the complete URL even it is null.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (TAP5-815) Asset dispatcher allows any file inside the webapp visible and downloadable

2009-11-09T11:35:32Z

[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12775085#action_12775085 ]

Robert Zeigler commented on TAP5-815:
-------------------------------------

Hey Chris,

I just committed the AssetProtectionDispatcher stuff (to 5.0 and 5.1 branches and to trunk). That should solve your issue, but if you want to double check that, it would be great.
Leaving this issue open for the time being to give people a chance to review. I'll close it tonight or tomorrow if I don't hear anything more.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

svn commit: r834180 - in /tapestry/tapestry5/branches/5.0: src/site/apt/guide/ tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ tapestry-core/src/main/java/org/apache/tapestry5/services/ tapestry-core/src/test/java/org/apache/tapestr...

2009-11-09T11:28:33Z

Author: robertdzeigler
Date: Mon Nov 9 19:28:32 2009
New Revision: 834180

URL: http://svn.apache.org/viewvc?rev=834180&view=rev
Log:
TAP5-815: Asset dispatcher allows any file inside the webapp visible and downloadable (5.0 branch)

Added:
tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java
tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java
tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java
tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java
tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java
tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java
Modified:
tapestry/tapestry5/branches/5.0/src/site/apt/guide/assets.apt
tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java

Modified: tapestry/tapestry5/branches/5.0/src/site/apt/guide/assets.apt
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/src/site/apt/guide/assets.apt?rev=834180&r1=834179&r2=834180&view=diff
==============================================================================
--- tapestry/tapestry5/branches/5.0/src/site/apt/guide/assets.apt (original)
+++ tapestry/tapestry5/branches/5.0/src/site/apt/guide/assets.apt Mon Nov 9 19:28:32 2009
@@ -98,4 +98,28 @@
Care should be taken to not create overlapping mappings, as the results would not be predictable.

-
\ No newline at end of file
+Securing Assets
+
+ Securing assets is an important consideration for any web application. Many assets, such as hibernate configuration
+ files, sit in the classpath and are exposable via the Asset service, which is not desirable. To protect these and
+ other sensitive assets, Tapestry provides the AssetProtectionDispatcher. This dispatcher sits in front of the
+ AssetDispatcher, the service responsible for streaming assets to the client, and watches for Asset requests.
+ When an asset request comes in, the protection dispatcher checks for authorization to view the file against a
+ contributed list of AssetPathAuthorizer implementations. Determination of whether the client can view the requested
+ resource is then made based on whether any of the contributed AssetPathAuthorizer implementations explicitly allowed
+ or denied access to the resource.
+
+ Tapestry provides two AssetPathAuthorizer implemenations "out of the box" to which users may contribute: RegexAuthorizer
+ and WhitelistAuthorizer. RegexAuthorizer uses regular expressions to determine assets which are viewable by the
+ client; any assets that match one of its (contributed) regular expressions are authorized. Anything not matched is
+ passed through to the WhitelistAuthorizer. WhitelistAuthorizer uses an exact-matching whitelist. Anything matching
+ exactly one its contributions is allowed; all other asset requests are denied. The default tapestry configuration
+ contributes nothing to WhitelistAuthorizer (access will be denied to all asset requests passed through to it), and
+ explicitly allows access to css, jpg, jpeg, js, png, and gif files associated with tapestry (tapestry.js, blackbird
+ files, date picker files, etc.). The default contribution also enables access to the css, jpg, jpeg, js, png, and gif
+ files provided by the popular chenille-kit 3rd party library. The default configuration denies access to all other
+ assets. To enable access to your application's assets, either contribute a custom AssetPathAnalyzer, or contribute
+ appropriate regular expression or exact path contributions to RegexAuthorizer or WhitelistAuthorizer, respectively.
+ See TapestryModule.contribteRegexAuthorizer for examples.
+
+

Added: tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java?rev=834180&view=auto
==============================================================================
--- tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java (added)
+++ tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java Mon Nov 9 19:28:32 2009
@@ -0,0 +1,92 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.internal.services;
+
+import java.io.IOException;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.tapestry5.internal.services.RequestConstants;
+import org.apache.tapestry5.services.*;
+import org.slf4j.Logger;
+
+/**
+ * Dispatcher that handles whether to allow or deny access to particular
+ * assets. Actual work of authorizing a particular url is handled by
+ * implementations of AssetPathAuthorizer. Configuration is an ordered
+ * list of AssetPathAuthorizers. Each authorizer specifies an order of
+ * operations as a list (see AssetPathAuthorizer.Order).
+ *
+ */
+public class AssetProtectionDispatcher implements Dispatcher
+{
+
+ private final Collection<AssetPathAuthorizer> authorizers;
+ private final ClasspathAssetAliasManager assetAliasManager;
+ private final Logger logger;
+
+ public AssetProtectionDispatcher(
+ List<AssetPathAuthorizer> auths,
+ ClasspathAssetAliasManager manager,
+ Logger logger)
+ {
+ this.authorizers = Collections.unmodifiableList(auths);
+ this.assetAliasManager = manager;
+ this.logger = logger;
+ }
+
+ public boolean dispatch(Request request, Response response)
+ throws IOException
+ {
+ String path = request.getPath();
+ //we only protect assets, and don't examine any other url's.
+ if (!path.startsWith(RequestConstants.ASSET_PATH_PREFIX))
+ {
+ return false;
+ }
+ String resourcePath = assetAliasManager.toResourcePath(path);
+ for(AssetPathAuthorizer auth : authorizers)
+ {
+ for(AssetPathAuthorizer.Order o : auth.order())
+ {
+ if (o == AssetPathAuthorizer.Order.ALLOW)
+ {
+ if (auth.accessAllowed(resourcePath))
+ {
+ logger.debug("Allowing access to " + resourcePath);
+ return false;
+ }
+ }
+ else
+ {
+ if (auth.accessDenied(resourcePath))
+ {
+ logger.debug("Denying access to " + resourcePath);
+ response.sendError(HttpServletResponse.SC_FORBIDDEN,resourcePath);
+ return true;
+ }
+ }
+ }
+ }
+ //if we get here, no Authorizer had anything useful to say about the resourcePath.
+ //so let it fall through.
+ logger.debug("Fell through the list of authorizers. Allowing access to: " + resourcePath);
+ return false;
+ }
+
+}

Added: tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java?rev=834180&view=auto
==============================================================================
--- tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java (added)
+++ tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java Mon Nov 9 19:28:32 2009
@@ -0,0 +1,76 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.internal.services;
+
+import org.apache.tapestry5.services.AssetPathAuthorizer;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+import java.util.regex.Pattern;
+
+/**
+ * Provides a regex-based authorization scheme for asset-access authorization.
+ * Note that this implementation doesn't actually deny access to anything.
+ * But it's placement within the chain of command of authorizers is just before
+ * the whitelist authorizer, which has an explicit deny policy.
+ * Hence, as long as the whitelist authorizer is being used in conjunction with
+ * the regex authorizer, there is no need to worry about accessDenied in this authorizer.
+ *
+ */
+public class RegexAuthorizer implements AssetPathAuthorizer
+{
+
+ private final Collection<Pattern> _regexes;
+
+ public RegexAuthorizer(final Collection<String> regex)
+ {
+ //an alternate way to construct this would be to make sure that each pattern is grouped
+ //and then to regex or the various patterns together into a single pattern.
+ //that might be faster, but probably not enough to make a difference, and this is cleaner.
+ List<Pattern> tmp = new ArrayList<Pattern>();
+ for(String exp : regex)
+ {
+ tmp.add(Pattern.compile(exp));
+ }
+ _regexes = Collections.unmodifiableCollection(tmp);
+
+ }
+
+ public boolean accessAllowed(String resourcePath)
+ {
+ for(Pattern regex : _regexes)
+ {
+ if (regex.matcher(resourcePath).matches())
+ {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ public boolean accessDenied(String resourcePath)
+ {
+ return false;
+ }
+
+ public List<Order> order()
+ {
+ return Arrays.asList(Order.ALLOW);
+ }
+
+}

Added: tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java?rev=834180&view=auto
==============================================================================
--- tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java (added)
+++ tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java Mon Nov 9 19:28:32 2009
@@ -0,0 +1,59 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.internal.services;
+
+import org.apache.tapestry5.services.AssetPathAuthorizer;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+/**
+ * AssetPathAuthorizer that determines access rights based on exact matching to a contributed whitelist.
+ * Any resource not explicitly specified in the whitelist is denied access.
+ */
+public class WhitelistAuthorizer implements AssetPathAuthorizer
+{
+
+ public List<Order> order()
+ {
+ return Arrays.asList(Order.ALLOW, Order.DENY);
+ }
+
+ //hash the resource paths for fast lookups.
+ private final Map<String, Boolean> _paths;
+
+ public WhitelistAuthorizer(Collection<String> paths)
+ {
+ _paths = new ConcurrentHashMap<String, Boolean>();
+ for(String path : paths)
+ {
+ _paths.put(path, true);
+ }
+ }
+
+ public boolean accessAllowed(String resourcePath)
+ {
+ return (_paths.containsKey(resourcePath));
+ }
+
+ public boolean accessDenied(String resourcePath)
+ {
+ return !_paths.containsKey(resourcePath);
+ }
+
+}

Added: tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java?rev=834180&view=auto
==============================================================================
--- tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java (added)
+++ tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java Mon Nov 9 19:28:32 2009
@@ -0,0 +1,76 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.services;
+
+import java.util.List;
+
+/**
+ * Determines whether access to an asset is allowed, denied, or undetermined.
+ * Each contributed authorizer makes up part of a chain of command for determining access.
+ * Access is explicitly allowed if accessAllowed returns true.
+ * Access is explicitly denied if accessDenied returns true.
+ * Ordering depends on the order specified by the "order" parameter.
+ * Hence, an implementation which specifies an order of:
+ * ALLOW, DENY, and returns true from both accessAllowed and accessDenied
+ * will allow access for all resources. With the same return values for the
+ * access* methods but the order switched to DENY, ALLOW, access to all resources
+ * would be denied. It is possible for an authorizer to have "nothing
+ * to say" regarding a particular resource. If accessAllowed returns false,
+ * it does not mean that access is denied, merely that it is not explicitly allowed.
+ * If accessDenied returns false, it does not mean that access is allowed, merely that
+ * it is not explicitly denied. Hence, if both accessAllowed and accessDenied return false,
+ * control will pass to the next authorizer in the chain.
+ *
+ */
+public interface AssetPathAuthorizer
+{
+
+ /**
+ * Types of orderings, either ALLOW or DENY.
+ */
+ enum Order {ALLOW, DENY;}
+
+ /**
+ * Specify the ordering for this authorizer.
+ * @return the operations for this authorizer.
+ * Operations will be performed in the order returned by the iterator.
+ * It is assumed that the authorizer correctly implements each form of
+ * ordering returned. It is acceptable to only return only ALLOW or DENY.
+ */
+ List<Order> order();
+
+ /**
+ * Determines whether a request to "resourcePath" is allowed.
+ * @param resourcePath
+ * @return true if access is explicitly allowed for the path. False otherwise.
+ * For example, a whitelist implementation would return true if the resource
+ * was listed, and false otherwise. A blacklist implementation would return
+ * false regardless of whether the path was in the blacklist.
+ * Alternatively, if the blacklist specified an order of DENY, ALLOW, it could
+ * return true from accessAllowed if the resource was not explicitly listed in its
+ * blacklist.
+ */
+ boolean accessAllowed(String resourcePath);
+
+ /**
+ *
+ * @param resourcePath
+ * @return true if access is explicitly prohibited for the path. False otherwise.
+ * For example, a whitelist implementation would return true if the resource was
+ * not explicitly listed, and false otherwise. A blacklist implementation would
+ * return true if the resource was explicitly denied, and false otherwise.
+ */
+ boolean accessDenied(String resourcePath);
+}

Modified: tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java?rev=834180&r1=834179&r2=834180&view=diff
==============================================================================
--- tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java (original)
+++ tapestry/tapestry5/branches/5.0/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java Mon Nov 9 19:28:32 2009
@@ -191,6 +191,9 @@
"NullFieldStrategyBindingFactory");
binder.bind(URLEncoder.class, URLEncoderImpl.class);
binder.bind(ContextPathEncoder.class, ContextPathEncoderImpl.class);
+ binder.bind(Dispatcher.class, AssetProtectionDispatcher.class).withId("AssetProtectionDispatcher");
+ binder.bind(AssetPathAuthorizer.class, WhitelistAuthorizer.class).withId("WhitelistAuthorizer");
+ binder.bind(AssetPathAuthorizer.class, RegexAuthorizer.class).withId("RegexAuthorizer");
}

// ========================================================================
@@ -1385,6 +1388,7 @@
* and forwards onto the {@link ComponentEventRequestHandler}</dd> </dl>
*/
public void contributeMasterDispatcher(OrderedConfiguration<Dispatcher> configuration,
+ @InjectService("AssetProtectionDispatcher") Dispatcher assetProt,
ObjectLocator locator)
{
// Looks for the root path and renders the start page. This is maintained for compatibility
@@ -1394,6 +1398,9 @@
locator.autobuild(RootPathDispatcher.class),
"before:Asset");

+ //this goes before asset to make sure that only allowed assets are streamed to the client.
+ configuration.add("AssetProtection", assetProt, "before:Asset");
+
// This goes first because an asset to be streamed may have an file extension, such as
// ".html", that will confuse the later dispatchers.

@@ -2157,4 +2164,38 @@

return service;
}
+
+ /**
+ * Contributes the default set of AssetPathAuthorizers into the AssetProtectionDispatcher.
+ * @param whitelist authorization based on explicit whitelisting.
+ * @param regex authorization based on pattern matching.
+ * @param conf
+ */
+ public static void contributeAssetProtectionDispatcher(
+ @InjectService("WhitelistAuthorizer") AssetPathAuthorizer whitelist,
+ @InjectService("RegexAuthorizer") AssetPathAuthorizer regex,
+ OrderedConfiguration<AssetPathAuthorizer> conf)
+ {
+ //putting whitelist after everything ensures that, in fact, nothing falls through.
+ //also ensures that whitelist gives other authorizers the chance to act...
+ conf.add("regex",regex,"before:whitelist");
+ conf.add("whitelist", whitelist,"after:*");
+ }
+
+ public void contributeRegexAuthorizer(Configuration<String> regex,
+ @Symbol("tapestry.scriptaculous.path") String scriptPath,
+ @Symbol("tapestry.datepicker.path") String datepickerPath)
+ {
+ //allow any js, jpg, jpeg, png, or css under org/chenillekit/tapstry. The funky bit of ([^/.]+/)* is what allows
+ //multiple paths, while not allowing any of those paths to contains ./ or ../ thereby preventing paths like:
+ //org/chenillekit/tapestry/../../../foo.js
+ String pathPattern = "([^/.]+/)*[^/.]+\\.((css)|(js)|(jpg)|(jpeg)|(png)|(gif))$";
+ regex.add("^org/chenillekit/tapestry/" + pathPattern);
+
+ regex.add("^org/apache/tapestry5/" + pathPattern);
+
+ regex.add(datepickerPath + "/" + pathPattern);
+ regex.add(scriptPath + "/" + pathPattern);
+ }
+
}

Modified: tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java?rev=834180&r1=834179&r2=834180&view=diff
==============================================================================
--- tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java (original)
+++ tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java Mon Nov 9 19:28:32 2009
@@ -238,4 +238,22 @@
{
configuration.add("ReverseStringsWorker", new ReverseStringsWorker());
}
+
+ public static void contributeRegexAuthorizer(Configuration<String> configuration) {
+ //use this rather than a blanket regex (^.*.jpg$, etc.); want to be sure that tests pass from the default
+ //configuration setup, (eg: this way, I realized that the "virtual" assets folder
+ //needed to be opened up in the tapestry-provided contributions) rather than from some blanket configuration in the appmodule
+ //opening up all css, js, etc. files.
+ //would contribute to whitelist except that the resource path between ctxt and the rest of the path can change.
+ configuration.add("^ctx/[^/]+/css/app\\.css$");
+ configuration.add("^ctx/[^/]+/layout/style\\.css$");
+ configuration.add("^ctx/[^/]+/layout/images/bg\\.gif$");
+ configuration.add("^ctx/[^/]+/layout/images/header\\.gif$");
+ configuration.add("^ctx/[^/]+/layout/images/rightsmall\\.gif$");
+ configuration.add("^ctx/[^/]+/layout/images/rightbig\\.gif$");
+ configuration.add("^ctx/[^/]+/layout/images/bottom\\.gif$");
+ configuration.add("^ctx/[^/]+/layout/images/footer\\.gif$");
+ configuration.add("^ctx/[^/]+/images/tapestry_banner\\.gif$");
+ configuration.add("^ctx/[^/]+/images/asf_logo_wide\\.gif$");
+ }
}

Added: tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java?rev=834180&view=auto
==============================================================================
--- tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java (added)
+++ tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java Mon Nov 9 19:28:32 2009
@@ -0,0 +1,92 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.internal.services;
+
+import static org.easymock.EasyMock.createMock;
+import static org.easymock.EasyMock.expect;
+import static org.easymock.EasyMock.*;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.tapestry5.internal.services.RequestConstants;
+import org.apache.tapestry5.internal.services.AssetProtectionDispatcher;
+import org.apache.tapestry5.services.ClasspathAssetAliasManager;
+import org.apache.tapestry5.services.Request;
+import org.apache.tapestry5.services.Response;
+import org.apache.tapestry5.services.AssetPathAuthorizer;
+import org.testng.Assert;
+import org.testng.annotations.Test;
+import org.slf4j.Logger;
+
+public class AssetProtectionDispatcherTest extends Assert
+{
+
+ @Test
+ public void ignores_nonassets() throws IOException
+ {
+ //shouldn't need any configuration here...
+ List<AssetPathAuthorizer> auths = Collections.emptyList();
+ Logger logger = createMock(Logger.class);
+ AssetProtectionDispatcher disp = new AssetProtectionDispatcher(auths,null,logger);
+ Request request = createMock(Request.class);
+ expect(request.getPath()).andReturn("start");
+ Response response = createMock(Response.class);
+ replay(request,response,logger);
+ assertFalse(disp.dispatch(request, response));
+ verify(request,response,logger);
+ }
+
+ @Test
+ public void checks_authorizers() throws IOException
+ {
+ Logger logger = createMock(Logger.class);
+ List<AssetPathAuthorizer> auths = new ArrayList<AssetPathAuthorizer>();
+ AssetPathAuthorizer auth = createMock(AssetPathAuthorizer.class);
+
+ expect(auth.order()).andReturn(Arrays.asList(AssetPathAuthorizer.Order.ALLOW, AssetPathAuthorizer.Order.DENY)).times(2);
+
+ expect(auth.accessAllowed("/cayenne.xml")).andReturn(false);
+ expect(auth.accessDenied("/cayenne.xml")).andReturn(true);
+ expect(auth.accessAllowed("/org/apache/tapestry/default.css")).andReturn(true);
+ auths.add(auth);
+
+ logger.debug("Denying access to /cayenne.xml");
+ logger.debug("Allowing access to /org/apache/tapestry/default.css");
+
+ Request request = createMock(Request.class);
+ Response response = createMock(Response.class);
+ expect(request.getPath()).andReturn(RequestConstants.ASSET_PATH_PREFIX + "/cayenne.xml");
+ expect(request.getPath()).andReturn(RequestConstants.ASSET_PATH_PREFIX + "/org/apache/tapestry/default.css");
+ response.sendError(HttpServletResponse.SC_FORBIDDEN, "/cayenne.xml");
+
+ ClasspathAssetAliasManager manager = createMock(ClasspathAssetAliasManager.class);
+ expect(manager.toResourcePath(RequestConstants.ASSET_PATH_PREFIX + "/cayenne.xml")).andReturn("/cayenne.xml");
+ expect(manager.toResourcePath(
+ RequestConstants.ASSET_PATH_PREFIX + "/org/apache/tapestry/default.css"))
+ .andReturn("/org/apache/tapestry/default.css");
+ replay(auth,request,response,manager,logger);
+ AssetProtectionDispatcher disp = new AssetProtectionDispatcher(auths,manager,logger);
+
+ assertTrue(disp.dispatch(request,response));
+ assertFalse(disp.dispatch(request, response));
+ verify(auth,request,response,logger);
+ }
+}

Added: tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java?rev=834180&view=auto
==============================================================================
--- tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java (added)
+++ tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java Mon Nov 9 19:28:32 2009
@@ -0,0 +1,53 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.internal.services;
+
+import java.util.Arrays;
+import java.util.List;
+
+import org.testng.Assert;
+import org.testng.annotations.Test;
+import org.apache.tapestry5.internal.services.RegexAuthorizer;
+
+public class RegexAuthorizerTest extends Assert
+{
+
+ @Test
+ public void test_regexes()
+ {
+ List<String> patterns = Arrays.asList("^.*\\.png$","^.*\\.jpg","^.*\\.jpeg");
+ RegexAuthorizer auth = new RegexAuthorizer(patterns);
+ String pkg = "assets/com/saiwaisolutions/resources/";
+ String png = pkg + "foo.png";
+ String jpg = pkg + "foo.jpg";
+ String jpeg = pkg + "foo.jpeg";
+ String xml = pkg + "foo.xml";
+ test(auth,png,true);
+ test(auth,jpg,true);
+ test(auth,jpeg,true);
+ test(auth,xml,false);
+ }
+
+ private static void test(RegexAuthorizer auth, String one,boolean allowed)
+ {
+ assertEquals(auth.accessAllowed(one),allowed);
+ assertEquals(
+ auth.accessAllowed(
+ "http://localhost:8080" + one),
+ allowed);
+ assertFalse(auth.accessDenied(one));
+ assertFalse(auth.accessDenied("http://localhost:8080" + one));
+ }
+}

Added: tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java?rev=834180&view=auto
==============================================================================
--- tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java (added)
+++ tapestry/tapestry5/branches/5.0/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java Mon Nov 9 19:28:32 2009
@@ -0,0 +1,45 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+/*
+ * Created on Jul 28, 2007
+ *
+ *
+ */
+package org.apache.tapestry5.internal.services;
+
+import java.util.Arrays;
+
+import org.testng.Assert;
+import org.testng.annotations.Test;
+import org.apache.tapestry5.internal.services.WhitelistAuthorizer;
+import org.apache.tapestry5.services.AssetPathAuthorizer;
+
+public class WhitelistAuthorizerTest extends Assert {
+
+ @Test
+ public void run()
+ {
+ WhitelistAuthorizer auth = new WhitelistAuthorizer(Arrays.asList("foo"));
+ assertEquals(auth.order().get(0), AssetPathAuthorizer.Order.ALLOW);
+ assertEquals(auth.order().get(1), AssetPathAuthorizer.Order.DENY);
+ assertEquals(auth.order().size(),2);
+ assertTrue(auth.accessAllowed("foo"));
+ assertFalse(auth.accessDenied("foo"));
+
+ assertFalse(auth.accessAllowed("bar"));
+ assertTrue(auth.accessDenied("bar"));
+ }
+
+}

svn commit: r834167 - in /tapestry/tapestry5/branches/5.1.0.x-dev: src/site/apt/guide/ tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ tapestry-core/src/main/java/org/apache/tapestry5/services/ tapestry-core/src/test/java/org/apache...

2009-11-09T10:26:49Z

Author: robertdzeigler
Date: Mon Nov 9 18:26:48 2009
New Revision: 834167

URL: http://svn.apache.org/viewvc?rev=834167&view=rev
Log:
TAP5-815: Asset dispatcher allows any file inside the webapp visible and downloadable (5.1 branch)

Added:
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java
Modified:
tapestry/tapestry5/branches/5.1.0.x-dev/src/site/apt/guide/assets.apt
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java

Modified: tapestry/tapestry5/branches/5.1.0.x-dev/src/site/apt/guide/assets.apt
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/src/site/apt/guide/assets.apt?rev=834167&r1=834166&r2=834167&view=diff
==============================================================================
--- tapestry/tapestry5/branches/5.1.0.x-dev/src/site/apt/guide/assets.apt (original)
+++ tapestry/tapestry5/branches/5.1.0.x-dev/src/site/apt/guide/assets.apt Mon Nov 9 18:26:48 2009
@@ -138,6 +138,31 @@
In addition, context assets will use the URL prefix <<</assets/ctx/>>><app-version><<</>>>.

+Securing Assets
+
+ Securing assets is an important consideration for any web application. Many assets, such as hibernate configuration
+ files, sit in the classpath and are exposable via the Asset service, which is not desirable. To protect these and
+ other sensitive assets, Tapestry provides the AssetProtectionDispatcher. This dispatcher sits in front of the
+ AssetDispatcher, the service responsible for streaming assets to the client, and watches for Asset requests.
+ When an asset request comes in, the protection dispatcher checks for authorization to view the file against a
+ contributed list of AssetPathAuthorizer implementations. Determination of whether the client can view the requested
+ resource is then made based on whether any of the contributed AssetPathAuthorizer implementations explicitly allowed
+ or denied access to the resource.
+
+ Tapestry provides two AssetPathAuthorizer implemenations "out of the box" to which users may contribute: RegexAuthorizer
+ and WhitelistAuthorizer. RegexAuthorizer uses regular expressions to determine assets which are viewable by the
+ client; any assets that match one of its (contributed) regular expressions are authorized. Anything not matched is
+ passed through to the WhitelistAuthorizer. WhitelistAuthorizer uses an exact-matching whitelist. Anything matching
+ exactly one its contributions is allowed; all other asset requests are denied. The default tapestry configuration
+ contributes nothing to WhitelistAuthorizer (access will be denied to all asset requests passed through to it), and
+ explicitly allows access to css, jpg, jpeg, js, png, and gif files associated with tapestry (tapestry.js, blackbird
+ files, date picker files, etc.). The default contribution also enables access to the css, jpg, jpeg, js, png, and gif
+ files provided by the popular chenille-kit 3rd party library. The default configuration denies access to all other
+ assets. To enable access to your application's assets, either contribute a custom AssetPathAnalyzer, or contribute
+ appropriate regular expression or exact path contributions to RegexAuthorizer or WhitelistAuthorizer, respectively.
+ See TapestryModule.contribteRegexAuthorizer for examples.
+
+
Performance Notes

Assets are expected to be entirely static (not changing while the application is deployed). When Tapestry generates a URL
@@ -146,4 +171,4 @@
asset.

In addition, Tapestry will {{{compress.html}GZIP compress}} the content of <all> assets (if the asset
- is compressable, and the client supports it).
\ No newline at end of file
+ is compressable, and the client supports it).

Added: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java?rev=834167&view=auto
==============================================================================
--- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java (added)
+++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java Mon Nov 9 18:26:48 2009
@@ -0,0 +1,92 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.internal.services;
+
+import java.io.IOException;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.tapestry5.internal.services.RequestConstants;
+import org.apache.tapestry5.services.*;
+import org.slf4j.Logger;
+
+/**
+ * Dispatcher that handles whether to allow or deny access to particular
+ * assets. Actual work of authorizing a particular url is handled by
+ * implementations of AssetPathAuthorizer. Configuration is an ordered
+ * list of AssetPathAuthorizers. Each authorizer specifies an order of
+ * operations as a list (see AssetPathAuthorizer.Order).
+ *
+ */
+public class AssetProtectionDispatcher implements Dispatcher
+{
+
+ private final Collection<AssetPathAuthorizer> authorizers;
+ private final ClasspathAssetAliasManager assetAliasManager;
+ private final Logger logger;
+
+ public AssetProtectionDispatcher(
+ List<AssetPathAuthorizer> auths,
+ ClasspathAssetAliasManager manager,
+ Logger logger)
+ {
+ this.authorizers = Collections.unmodifiableList(auths);
+ this.assetAliasManager = manager;
+ this.logger = logger;
+ }
+
+ public boolean dispatch(Request request, Response response)
+ throws IOException
+ {
+ String path = request.getPath();
+ //we only protect assets, and don't examine any other url's.
+ if (!path.startsWith(RequestConstants.ASSET_PATH_PREFIX))
+ {
+ return false;
+ }
+ String resourcePath = assetAliasManager.toResourcePath(path);
+ for(AssetPathAuthorizer auth : authorizers)
+ {
+ for(AssetPathAuthorizer.Order o : auth.order())
+ {
+ if (o == AssetPathAuthorizer.Order.ALLOW)
+ {
+ if (auth.accessAllowed(resourcePath))
+ {
+ logger.debug("Allowing access to " + resourcePath);
+ return false;
+ }
+ }
+ else
+ {
+ if (auth.accessDenied(resourcePath))
+ {
+ logger.debug("Denying access to " + resourcePath);
+ response.sendError(HttpServletResponse.SC_FORBIDDEN,resourcePath);
+ return true;
+ }
+ }
+ }
+ }
+ //if we get here, no Authorizer had anything useful to say about the resourcePath.
+ //so let it fall through.
+ logger.debug("Fell through the list of authorizers. Allowing access to: " + resourcePath);
+ return false;
+ }
+
+}

Added: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java?rev=834167&view=auto
==============================================================================
--- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java (added)
+++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java Mon Nov 9 18:26:48 2009
@@ -0,0 +1,76 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.internal.services;
+
+import org.apache.tapestry5.services.AssetPathAuthorizer;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+import java.util.regex.Pattern;
+
+/**
+ * Provides a regex-based authorization scheme for asset-access authorization.
+ * Note that this implementation doesn't actually deny access to anything.
+ * But it's placement within the chain of command of authorizers is just before
+ * the whitelist authorizer, which has an explicit deny policy.
+ * Hence, as long as the whitelist authorizer is being used in conjunction with
+ * the regex authorizer, there is no need to worry about accessDenied in this authorizer.
+ *
+ */
+public class RegexAuthorizer implements AssetPathAuthorizer
+{
+
+ private final Collection<Pattern> _regexes;
+
+ public RegexAuthorizer(final Collection<String> regex)
+ {
+ //an alternate way to construct this would be to make sure that each pattern is grouped
+ //and then to regex or the various patterns together into a single pattern.
+ //that might be faster, but probably not enough to make a difference, and this is cleaner.
+ List<Pattern> tmp = new ArrayList<Pattern>();
+ for(String exp : regex)
+ {
+ tmp.add(Pattern.compile(exp));
+ }
+ _regexes = Collections.unmodifiableCollection(tmp);
+
+ }
+
+ public boolean accessAllowed(String resourcePath)
+ {
+ for(Pattern regex : _regexes)
+ {
+ if (regex.matcher(resourcePath).matches())
+ {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ public boolean accessDenied(String resourcePath)
+ {
+ return false;
+ }
+
+ public List<Order> order()
+ {
+ return Arrays.asList(Order.ALLOW);
+ }
+
+}

Added: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java?rev=834167&view=auto
==============================================================================
--- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java (added)
+++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java Mon Nov 9 18:26:48 2009
@@ -0,0 +1,59 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.internal.services;
+
+import org.apache.tapestry5.services.AssetPathAuthorizer;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+/**
+ * AssetPathAuthorizer that determines access rights based on exact matching to a contributed whitelist.
+ * Any resource not explicitly specified in the whitelist is denied access.
+ */
+public class WhitelistAuthorizer implements AssetPathAuthorizer
+{
+
+ public List<Order> order()
+ {
+ return Arrays.asList(Order.ALLOW, Order.DENY);
+ }
+
+ //hash the resource paths for fast lookups.
+ private final Map<String, Boolean> _paths;
+
+ public WhitelistAuthorizer(Collection<String> paths)
+ {
+ _paths = new ConcurrentHashMap<String, Boolean>();
+ for(String path : paths)
+ {
+ _paths.put(path, true);
+ }
+ }
+
+ public boolean accessAllowed(String resourcePath)
+ {
+ return (_paths.containsKey(resourcePath));
+ }
+
+ public boolean accessDenied(String resourcePath)
+ {
+ return !_paths.containsKey(resourcePath);
+ }
+
+}

Added: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java?rev=834167&view=auto
==============================================================================
--- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java (added)
+++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java Mon Nov 9 18:26:48 2009
@@ -0,0 +1,76 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.services;
+
+import java.util.List;
+
+/**
+ * Determines whether access to an asset is allowed, denied, or undetermined.
+ * Each contributed authorizer makes up part of a chain of command for determining access.
+ * Access is explicitly allowed if accessAllowed returns true.
+ * Access is explicitly denied if accessDenied returns true.
+ * Ordering depends on the order specified by the "order" parameter.
+ * Hence, an implementation which specifies an order of:
+ * ALLOW, DENY, and returns true from both accessAllowed and accessDenied
+ * will allow access for all resources. With the same return values for the
+ * access* methods but the order switched to DENY, ALLOW, access to all resources
+ * would be denied. It is possible for an authorizer to have "nothing
+ * to say" regarding a particular resource. If accessAllowed returns false,
+ * it does not mean that access is denied, merely that it is not explicitly allowed.
+ * If accessDenied returns false, it does not mean that access is allowed, merely that
+ * it is not explicitly denied. Hence, if both accessAllowed and accessDenied return false,
+ * control will pass to the next authorizer in the chain.
+ *
+ */
+public interface AssetPathAuthorizer
+{
+
+ /**
+ * Types of orderings, either ALLOW or DENY.
+ */
+ enum Order {ALLOW, DENY;}
+
+ /**
+ * Specify the ordering for this authorizer.
+ * @return the operations for this authorizer.
+ * Operations will be performed in the order returned by the iterator.
+ * It is assumed that the authorizer correctly implements each form of
+ * ordering returned. It is acceptable to only return only ALLOW or DENY.
+ */
+ List<Order> order();
+
+ /**
+ * Determines whether a request to "resourcePath" is allowed.
+ * @param resourcePath
+ * @return true if access is explicitly allowed for the path. False otherwise.
+ * For example, a whitelist implementation would return true if the resource
+ * was listed, and false otherwise. A blacklist implementation would return
+ * false regardless of whether the path was in the blacklist.
+ * Alternatively, if the blacklist specified an order of DENY, ALLOW, it could
+ * return true from accessAllowed if the resource was not explicitly listed in its
+ * blacklist.
+ */
+ boolean accessAllowed(String resourcePath);
+
+ /**
+ *
+ * @param resourcePath
+ * @return true if access is explicitly prohibited for the path. False otherwise.
+ * For example, a whitelist implementation would return true if the resource was
+ * not explicitly listed, and false otherwise. A blacklist implementation would
+ * return true if the resource was explicitly denied, and false otherwise.
+ */
+ boolean accessDenied(String resourcePath);
+}

Modified: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java?rev=834167&r1=834166&r2=834167&view=diff
==============================================================================
--- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java (original)
+++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java Mon Nov 9 18:26:48 2009
@@ -303,6 +303,9 @@
binder.bind(PageRenderLinkSource.class, PageRenderLinkSourceImpl.class);
binder.bind(ClientInfrastructure.class, ClientInfrastructureImpl.class);
binder.bind(URLRewriter.class, URLRewriterImpl.class);
+ binder.bind(Dispatcher.class, AssetProtectionDispatcher.class).withId("AssetProtectionDispatcher");
+ binder.bind(AssetPathAuthorizer.class, WhitelistAuthorizer.class).withId("WhitelistAuthorizer");
+ binder.bind(AssetPathAuthorizer.class, RegexAuthorizer.class).withId("RegexAuthorizer");
}

// ========================================================================
@@ -1548,13 +1551,17 @@
* and forwards onto {@link PageRenderRequestHandler}</dd> <dt>ComponentEvent</dt> <dd>Identifies the {@link
* ComponentEventRequestParameters} and forwards onto the {@link ComponentEventRequestHandler}</dd> </dl>
*/
- public static void contributeMasterDispatcher(OrderedConfiguration<Dispatcher> configuration)
+ public static void contributeMasterDispatcher(OrderedConfiguration<Dispatcher> configuration,
+ @InjectService("AssetProtectionDispatcher") Dispatcher assetProt)
{
// Looks for the root path and renders the start page. This is maintained for compatibility
// with earlier versions of Tapestry 5, it is recommended that an Index page be used instead.

configuration.addInstance("RootPath", RootPathDispatcher.class, "before:Asset");

+ //this goes before asset to make sure that only allowed assets are streamed to the client.
+ configuration.add("AssetProtection", assetProt, "before:Asset");
+
// This goes first because an asset to be streamed may have an file extension, such as
// ".html", that will confuse the later dispatchers.

@@ -2405,4 +2412,41 @@

}

+ /**
+ * Contributes the default set of AssetPathAuthorizers into the AssetProtectionDispatcher.
+ * @param whitelist authorization based on explicit whitelisting.
+ * @param regex authorization based on pattern matching.
+ * @param conf
+ */
+ public static void contributeAssetProtectionDispatcher(
+ @InjectService("WhitelistAuthorizer") AssetPathAuthorizer whitelist,
+ @InjectService("RegexAuthorizer") AssetPathAuthorizer regex,
+ OrderedConfiguration<AssetPathAuthorizer> conf)
+ {
+ //putting whitelist after everything ensures that, in fact, nothing falls through.
+ //also ensures that whitelist gives other authorizers the chance to act...
+ conf.add("regex",regex,"before:whitelist");
+ conf.add("whitelist", whitelist,"after:*");
+ }
+
+ public void contributeRegexAuthorizer(Configuration<String> regex,
+ @Symbol("tapestry.scriptaculous.path") String scriptPath,
+ @Symbol("tapestry.blackbird.path") String blackbirdPath,
+ @Symbol("tapestry.datepicker.path") String datepickerPath)
+ {
+ //allow any js, jpg, jpeg, png, or css under org/chenillekit/tapstry. The funky bit of ([^/.]+/)* is what allows
+ //multiple paths, while not allowing any of those paths to contains ./ or ../ thereby preventing paths like:
+ //org/chenillekit/tapestry/../../../foo.js
+ String pathPattern = "([^/.]+/)*[^/.]+\\.((css)|(js)|(jpg)|(jpeg)|(png)|(gif))$";
+ regex.add("^org/chenillekit/tapestry/" + pathPattern);
+
+ regex.add("^org/apache/tapestry5/" + pathPattern);
+
+ regex.add(blackbirdPath + "/" + pathPattern);
+ regex.add(datepickerPath + "/" + pathPattern);
+ regex.add(scriptPath + "/" + pathPattern);
+ //allow access to virtual assets. Critical for tapestry-combined js files.
+ regex.add("virtual/" + pathPattern);
+ }
+
}

Modified: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java?rev=834167&r1=834166&r2=834167&view=diff
==============================================================================
--- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java (original)
+++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java Mon Nov 9 18:26:48 2009
@@ -255,4 +255,22 @@
{
configuration.add("ReverseStringsWorker", new ReverseStringsWorker());
}
+
+ public static void contributeRegexAuthorizer(Configuration<String> configuration) {
+ //use this rather than a blanket regex (^.*.jpg$, etc.); want to be sure that tests pass from the default
+ //configuration setup, (eg: this way, I realized that the "virtual" assets folder
+ //needed to be opened up in the tapestry-provided contributions) rather than from some blanket configuration in the appmodule
+ //opening up all css, js, etc. files.
+ //would contribute to whitelist except that the resource path between ctxt and the rest of the path can change.
+ configuration.add("^ctx/[^/]+/css/app\\.css$");
+ configuration.add("^ctx/[^/]+/layout/style\\.css$");
+ configuration.add("^ctx/[^/]+/layout/images/bg\\.gif$");
+ configuration.add("^ctx/[^/]+/layout/images/header\\.gif$");
+ configuration.add("^ctx/[^/]+/layout/images/rightsmall\\.gif$");
+ configuration.add("^ctx/[^/]+/layout/images/rightbig\\.gif$");
+ configuration.add("^ctx/[^/]+/layout/images/bottom\\.gif$");
+ configuration.add("^ctx/[^/]+/layout/images/footer\\.gif$");
+ configuration.add("^ctx/[^/]+/images/tapestry_banner\\.gif$");
+ configuration.add("^ctx/[^/]+/images/asf_logo_wide\\.gif$");
+ }
}

Added: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java?rev=834167&view=auto
==============================================================================
--- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java (added)
+++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java Mon Nov 9 18:26:48 2009
@@ -0,0 +1,92 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.internal.services;
+
+import static org.easymock.EasyMock.createMock;
+import static org.easymock.EasyMock.expect;
+import static org.easymock.EasyMock.*;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.tapestry5.internal.services.RequestConstants;
+import org.apache.tapestry5.internal.services.AssetProtectionDispatcher;
+import org.apache.tapestry5.services.ClasspathAssetAliasManager;
+import org.apache.tapestry5.services.Request;
+import org.apache.tapestry5.services.Response;
+import org.apache.tapestry5.services.AssetPathAuthorizer;
+import org.testng.Assert;
+import org.testng.annotations.Test;
+import org.slf4j.Logger;
+
+public class AssetProtectionDispatcherTest extends Assert
+{
+
+ @Test
+ public void ignores_nonassets() throws IOException
+ {
+ //shouldn't need any configuration here...
+ List<AssetPathAuthorizer> auths = Collections.emptyList();
+ Logger logger = createMock(Logger.class);
+ AssetProtectionDispatcher disp = new AssetProtectionDispatcher(auths,null,logger);
+ Request request = createMock(Request.class);
+ expect(request.getPath()).andReturn("start");
+ Response response = createMock(Response.class);
+ replay(request,response,logger);
+ assertFalse(disp.dispatch(request, response));
+ verify(request,response,logger);
+ }
+
+ @Test
+ public void checks_authorizers() throws IOException
+ {
+ Logger logger = createMock(Logger.class);
+ List<AssetPathAuthorizer> auths = new ArrayList<AssetPathAuthorizer>();
+ AssetPathAuthorizer auth = createMock(AssetPathAuthorizer.class);
+
+ expect(auth.order()).andReturn(Arrays.asList(AssetPathAuthorizer.Order.ALLOW, AssetPathAuthorizer.Order.DENY)).times(2);
+
+ expect(auth.accessAllowed("/cayenne.xml")).andReturn(false);
+ expect(auth.accessDenied("/cayenne.xml")).andReturn(true);
+ expect(auth.accessAllowed("/org/apache/tapestry/default.css")).andReturn(true);
+ auths.add(auth);
+
+ logger.debug("Denying access to /cayenne.xml");
+ logger.debug("Allowing access to /org/apache/tapestry/default.css");
+
+ Request request = createMock(Request.class);
+ Response response = createMock(Response.class);
+ expect(request.getPath()).andReturn(RequestConstants.ASSET_PATH_PREFIX + "/cayenne.xml");
+ expect(request.getPath()).andReturn(RequestConstants.ASSET_PATH_PREFIX + "/org/apache/tapestry/default.css");
+ response.sendError(HttpServletResponse.SC_FORBIDDEN, "/cayenne.xml");
+
+ ClasspathAssetAliasManager manager = createMock(ClasspathAssetAliasManager.class);
+ expect(manager.toResourcePath(RequestConstants.ASSET_PATH_PREFIX + "/cayenne.xml")).andReturn("/cayenne.xml");
+ expect(manager.toResourcePath(
+ RequestConstants.ASSET_PATH_PREFIX + "/org/apache/tapestry/default.css"))
+ .andReturn("/org/apache/tapestry/default.css");
+ replay(auth,request,response,manager,logger);
+ AssetProtectionDispatcher disp = new AssetProtectionDispatcher(auths,manager,logger);
+
+ assertTrue(disp.dispatch(request,response));
+ assertFalse(disp.dispatch(request, response));
+ verify(auth,request,response,logger);
+ }
+}

Added: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java?rev=834167&view=auto
==============================================================================
--- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java (added)
+++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java Mon Nov 9 18:26:48 2009
@@ -0,0 +1,53 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.internal.services;
+
+import java.util.Arrays;
+import java.util.List;
+
+import org.testng.Assert;
+import org.testng.annotations.Test;
+import org.apache.tapestry5.internal.services.RegexAuthorizer;
+
+public class RegexAuthorizerTest extends Assert
+{
+
+ @Test
+ public void test_regexes()
+ {
+ List<String> patterns = Arrays.asList("^.*\\.png$","^.*\\.jpg","^.*\\.jpeg");
+ RegexAuthorizer auth = new RegexAuthorizer(patterns);
+ String pkg = "assets/com/saiwaisolutions/resources/";
+ String png = pkg + "foo.png";
+ String jpg = pkg + "foo.jpg";
+ String jpeg = pkg + "foo.jpeg";
+ String xml = pkg + "foo.xml";
+ test(auth,png,true);
+ test(auth,jpg,true);
+ test(auth,jpeg,true);
+ test(auth,xml,false);
+ }
+
+ private static void test(RegexAuthorizer auth, String one,boolean allowed)
+ {
+ assertEquals(auth.accessAllowed(one),allowed);
+ assertEquals(
+ auth.accessAllowed(
+ "http://localhost:8080" + one),
+ allowed);
+ assertFalse(auth.accessDenied(one));
+ assertFalse(auth.accessDenied("http://localhost:8080" + one));
+ }
+}

Added: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java?rev=834167&view=auto
==============================================================================
--- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java (added)
+++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java Mon Nov 9 18:26:48 2009
@@ -0,0 +1,45 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+/*
+ * Created on Jul 28, 2007
+ *
+ *
+ */
+package org.apache.tapestry5.internal.services;
+
+import java.util.Arrays;
+
+import org.testng.Assert;
+import org.testng.annotations.Test;
+import org.apache.tapestry5.internal.services.WhitelistAuthorizer;
+import org.apache.tapestry5.services.AssetPathAuthorizer;
+
+public class WhitelistAuthorizerTest extends Assert {
+
+ @Test
+ public void run()
+ {
+ WhitelistAuthorizer auth = new WhitelistAuthorizer(Arrays.asList("foo"));
+ assertEquals(auth.order().get(0), AssetPathAuthorizer.Order.ALLOW);
+ assertEquals(auth.order().get(1), AssetPathAuthorizer.Order.DENY);
+ assertEquals(auth.order().size(),2);
+ assertTrue(auth.accessAllowed("foo"));
+ assertFalse(auth.accessDenied("foo"));
+
+ assertFalse(auth.accessAllowed("bar"));
+ assertTrue(auth.accessDenied("bar"));
+ }
+
+}

svn commit: r834151 - in /tapestry/tapestry5/trunk: src/site/apt/guide/ tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ tapestry-core/src/main/java/org/apache/tapestry5/services/ tapestry-core/src/test/java/org/apache/tapestry5/inte...

2009-11-09T09:23:18Z

Author: robertdzeigler
Date: Mon Nov 9 17:23:10 2009
New Revision: 834151

URL: http://svn.apache.org/viewvc?rev=834151&view=rev
Log:
TAP5-815: Asset dispatcher allows any file inside the webapp visible and downloadable (5.2 branch)

Added:
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java
Modified:
tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java

Modified: tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt?rev=834151&r1=834150&r2=834151&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt (original)
+++ tapestry/tapestry5/trunk/src/site/apt/guide/assets.apt Mon Nov 9 17:23:10 2009
@@ -138,6 +138,31 @@
In addition, context assets will use the URL prefix <<</assets/ctx/>>><app-version><<</>>>.

+Securing Assets
+
+ Securing assets is an important consideration for any web application. Many assets, such as hibernate configuration
+ files, sit in the classpath and are exposable via the Asset service, which is not desirable. To protect these and
+ other sensitive assets, Tapestry provides the AssetProtectionDispatcher. This dispatcher sits in front of the
+ AssetDispatcher, the service responsible for streaming assets to the client, and watches for Asset requests.
+ When an asset request comes in, the protection dispatcher checks for authorization to view the file against a
+ contributed list of AssetPathAuthorizer implementations. Determination of whether the client can view the requested
+ resource is then made based on whether any of the contributed AssetPathAuthorizer implementations explicitly allowed
+ or denied access to the resource.
+
+ Tapestry provides two AssetPathAuthorizer implemenations "out of the box" to which users may contribute: RegexAuthorizer
+ and WhitelistAuthorizer. RegexAuthorizer uses regular expressions to determine assets which are viewable by the
+ client; any assets that match one of its (contributed) regular expressions are authorized. Anything not matched is
+ passed through to the WhitelistAuthorizer. WhitelistAuthorizer uses an exact-matching whitelist. Anything matching
+ exactly one its contributions is allowed; all other asset requests are denied. The default tapestry configuration
+ contributes nothing to WhitelistAuthorizer (access will be denied to all asset requests passed through to it), and
+ explicitly allows access to css, jpg, jpeg, js, png, and gif files associated with tapestry (tapestry.js, blackbird
+ files, date picker files, etc.). The default contribution also enables access to the css, jpg, jpeg, js, png, and gif
+ files provided by the popular chenille-kit 3rd party library. The default configuration denies access to all other
+ assets. To enable access to your application's assets, either contribute a custom AssetPathAnalyzer, or contribute
+ appropriate regular expression or exact path contributions to RegexAuthorizer or WhitelistAuthorizer, respectively.
+ See TapestryModule.contribteRegexAuthorizer for examples.
+
+
Performance Notes

Assets are expected to be entirely static (not changing while the application is deployed). When Tapestry generates a URL
@@ -146,4 +171,4 @@
asset.

In addition, Tapestry will {{{compress.html}GZIP compress}} the content of <all> assets (if the asset
- is compressable, and the client supports it).
\ No newline at end of file
+ is compressable, and the client supports it).

Added: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java?rev=834151&view=auto
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java (added)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcher.java Mon Nov 9 17:23:10 2009
@@ -0,0 +1,92 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.internal.services;
+
+import java.io.IOException;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.tapestry5.internal.services.RequestConstants;
+import org.apache.tapestry5.services.*;
+import org.slf4j.Logger;
+
+/**
+ * Dispatcher that handles whether to allow or deny access to particular
+ * assets. Actual work of authorizing a particular url is handled by
+ * implementations of AssetPathAuthorizer. Configuration is an ordered
+ * list of AssetPathAuthorizers. Each authorizer specifies an order of
+ * operations as a list (see AssetPathAuthorizer.Order).
+ *
+ */
+public class AssetProtectionDispatcher implements Dispatcher
+{
+
+ private final Collection<AssetPathAuthorizer> authorizers;
+ private final ClasspathAssetAliasManager assetAliasManager;
+ private final Logger logger;
+
+ public AssetProtectionDispatcher(
+ List<AssetPathAuthorizer> auths,
+ ClasspathAssetAliasManager manager,
+ Logger logger)
+ {
+ this.authorizers = Collections.unmodifiableList(auths);
+ this.assetAliasManager = manager;
+ this.logger = logger;
+ }
+
+ public boolean dispatch(Request request, Response response)
+ throws IOException
+ {
+ String path = request.getPath();
+ //we only protect assets, and don't examine any other url's.
+ if (!path.startsWith(RequestConstants.ASSET_PATH_PREFIX))
+ {
+ return false;
+ }
+ String resourcePath = assetAliasManager.toResourcePath(path);
+ for(AssetPathAuthorizer auth : authorizers)
+ {
+ for(AssetPathAuthorizer.Order o : auth.order())
+ {
+ if (o == AssetPathAuthorizer.Order.ALLOW)
+ {
+ if (auth.accessAllowed(resourcePath))
+ {
+ logger.debug("Allowing access to " + resourcePath);
+ return false;
+ }
+ }
+ else
+ {
+ if (auth.accessDenied(resourcePath))
+ {
+ logger.debug("Denying access to " + resourcePath);
+ response.sendError(HttpServletResponse.SC_FORBIDDEN,resourcePath);
+ return true;
+ }
+ }
+ }
+ }
+ //if we get here, no Authorizer had anything useful to say about the resourcePath.
+ //so let it fall through.
+ logger.debug("Fell through the list of authorizers. Allowing access to: " + resourcePath);
+ return false;
+ }
+
+}

Added: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java?rev=834151&view=auto
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java (added)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java Mon Nov 9 17:23:10 2009
@@ -0,0 +1,76 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.internal.services;
+
+import org.apache.tapestry5.services.AssetPathAuthorizer;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+import java.util.regex.Pattern;
+
+/**
+ * Provides a regex-based authorization scheme for asset-access authorization.
+ * Note that this implementation doesn't actually deny access to anything.
+ * But it's placement within the chain of command of authorizers is just before
+ * the whitelist authorizer, which has an explicit deny policy.
+ * Hence, as long as the whitelist authorizer is being used in conjunction with
+ * the regex authorizer, there is no need to worry about accessDenied in this authorizer.
+ *
+ */
+public class RegexAuthorizer implements AssetPathAuthorizer
+{
+
+ private final Collection<Pattern> _regexes;
+
+ public RegexAuthorizer(final Collection<String> regex)
+ {
+ //an alternate way to construct this would be to make sure that each pattern is grouped
+ //and then to regex or the various patterns together into a single pattern.
+ //that might be faster, but probably not enough to make a difference, and this is cleaner.
+ List<Pattern> tmp = new ArrayList<Pattern>();
+ for(String exp : regex)
+ {
+ tmp.add(Pattern.compile(exp));
+ }
+ _regexes = Collections.unmodifiableCollection(tmp);
+
+ }
+
+ public boolean accessAllowed(String resourcePath)
+ {
+ for(Pattern regex : _regexes)
+ {
+ if (regex.matcher(resourcePath).matches())
+ {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ public boolean accessDenied(String resourcePath)
+ {
+ return false;
+ }
+
+ public List<Order> order()
+ {
+ return Arrays.asList(Order.ALLOW);
+ }
+
+}

Added: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java?rev=834151&view=auto
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java (added)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/WhitelistAuthorizer.java Mon Nov 9 17:23:10 2009
@@ -0,0 +1,59 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.internal.services;
+
+import org.apache.tapestry5.services.AssetPathAuthorizer;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+/**
+ * AssetPathAuthorizer that determines access rights based on exact matching to a contributed whitelist.
+ * Any resource not explicitly specified in the whitelist is denied access.
+ */
+public class WhitelistAuthorizer implements AssetPathAuthorizer
+{
+
+ public List<Order> order()
+ {
+ return Arrays.asList(Order.ALLOW, Order.DENY);
+ }
+
+ //hash the resource paths for fast lookups.
+ private final Map<String, Boolean> _paths;
+
+ public WhitelistAuthorizer(Collection<String> paths)
+ {
+ _paths = new ConcurrentHashMap<String, Boolean>();
+ for(String path : paths)
+ {
+ _paths.put(path, true);
+ }
+ }
+
+ public boolean accessAllowed(String resourcePath)
+ {
+ return (_paths.containsKey(resourcePath));
+ }
+
+ public boolean accessDenied(String resourcePath)
+ {
+ return !_paths.containsKey(resourcePath);
+ }
+
+}

Added: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java?rev=834151&view=auto
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java (added)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/AssetPathAuthorizer.java Mon Nov 9 17:23:10 2009
@@ -0,0 +1,76 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.services;
+
+import java.util.List;
+
+/**
+ * Determines whether access to an asset is allowed, denied, or undetermined.
+ * Each contributed authorizer makes up part of a chain of command for determining access.
+ * Access is explicitly allowed if accessAllowed returns true.
+ * Access is explicitly denied if accessDenied returns true.
+ * Ordering depends on the order specified by the "order" parameter.
+ * Hence, an implementation which specifies an order of:
+ * ALLOW, DENY, and returns true from both accessAllowed and accessDenied
+ * will allow access for all resources. With the same return values for the
+ * access* methods but the order switched to DENY, ALLOW, access to all resources
+ * would be denied. It is possible for an authorizer to have "nothing
+ * to say" regarding a particular resource. If accessAllowed returns false,
+ * it does not mean that access is denied, merely that it is not explicitly allowed.
+ * If accessDenied returns false, it does not mean that access is allowed, merely that
+ * it is not explicitly denied. Hence, if both accessAllowed and accessDenied return false,
+ * control will pass to the next authorizer in the chain.
+ *
+ */
+public interface AssetPathAuthorizer
+{
+
+ /**
+ * Types of orderings, either ALLOW or DENY.
+ */
+ enum Order {ALLOW, DENY;}
+
+ /**
+ * Specify the ordering for this authorizer.
+ * @return the operations for this authorizer.
+ * Operations will be performed in the order returned by the iterator.
+ * It is assumed that the authorizer correctly implements each form of
+ * ordering returned. It is acceptable to only return only ALLOW or DENY.
+ */
+ List<Order> order();
+
+ /**
+ * Determines whether a request to "resourcePath" is allowed.
+ * @param resourcePath
+ * @return true if access is explicitly allowed for the path. False otherwise.
+ * For example, a whitelist implementation would return true if the resource
+ * was listed, and false otherwise. A blacklist implementation would return
+ * false regardless of whether the path was in the blacklist.
+ * Alternatively, if the blacklist specified an order of DENY, ALLOW, it could
+ * return true from accessAllowed if the resource was not explicitly listed in its
+ * blacklist.
+ */
+ boolean accessAllowed(String resourcePath);
+
+ /**
+ *
+ * @param resourcePath
+ * @return true if access is explicitly prohibited for the path. False otherwise.
+ * For example, a whitelist implementation would return true if the resource was
+ * not explicitly listed, and false otherwise. A blacklist implementation would
+ * return true if the resource was explicitly denied, and false otherwise.
+ */
+ boolean accessDenied(String resourcePath);
+}

Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java?rev=834151&r1=834150&r2=834151&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java Mon Nov 9 17:23:10 2009
@@ -305,6 +305,9 @@
binder.bind(PageRenderLinkSource.class, PageRenderLinkSourceImpl.class);
binder.bind(ClientInfrastructure.class, ClientInfrastructureImpl.class);
binder.bind(URLRewriter.class, URLRewriterImpl.class);
+ binder.bind(Dispatcher.class, AssetProtectionDispatcher.class).withId("AssetProtectionDispatcher");
+ binder.bind(AssetPathAuthorizer.class, WhitelistAuthorizer.class).withId("WhitelistAuthorizer");
+ binder.bind(AssetPathAuthorizer.class, RegexAuthorizer.class).withId("RegexAuthorizer");
}

// ========================================================================
@@ -1572,13 +1575,17 @@
* and forwards onto {@link PageRenderRequestHandler}</dd> <dt>ComponentEvent</dt> <dd>Identifies the {@link
* ComponentEventRequestParameters} and forwards onto the {@link ComponentEventRequestHandler}</dd> </dl>
*/
- public static void contributeMasterDispatcher(OrderedConfiguration<Dispatcher> configuration)
+ public static void contributeMasterDispatcher(OrderedConfiguration<Dispatcher> configuration,
+ @InjectService("AssetProtectionDispatcher") Dispatcher assetProt)
{
// Looks for the root path and renders the start page. This is maintained for compatibility
// with earlier versions of Tapestry 5, it is recommended that an Index page be used instead.

configuration.addInstance("RootPath", RootPathDispatcher.class, "before:Asset");

+ //this goes before asset to make sure that only allowed assets are streamed to the client.
+ configuration.add("AssetProtection", assetProt, "before:Asset");
+
// This goes first because an asset to be streamed may have an file extension, such as
// ".html", that will confuse the later dispatchers.

@@ -1591,6 +1598,7 @@
configuration.addInstance("PageRender", PageRenderDispatcher.class);
}

+
/**
* Contributes a default object renderer for type Object, plus specialized renderers for {@link
* org.apache.tapestry5.services.Request}, {@link org.apache.tapestry5.ioc.Location}, {@link
@@ -2480,4 +2488,41 @@
};
}

+ /**
+ * Contributes the default set of AssetPathAuthorizers into the AssetProtectionDispatcher.
+ * @param whitelist authorization based on explicit whitelisting.
+ * @param regex authorization based on pattern matching.
+ * @param conf
+ */
+ public static void contributeAssetProtectionDispatcher(
+ @InjectService("WhitelistAuthorizer") AssetPathAuthorizer whitelist,
+ @InjectService("RegexAuthorizer") AssetPathAuthorizer regex,
+ OrderedConfiguration<AssetPathAuthorizer> conf)
+ {
+ //putting whitelist after everything ensures that, in fact, nothing falls through.
+ //also ensures that whitelist gives other authorizers the chance to act...
+ conf.add("regex",regex,"before:whitelist");
+ conf.add("whitelist", whitelist,"after:*");
+ }
+
+ public void contributeRegexAuthorizer(Configuration<String> regex,
+ @Symbol("tapestry.scriptaculous.path") String scriptPath,
+ @Symbol("tapestry.blackbird.path") String blackbirdPath,
+ @Symbol("tapestry.datepicker.path") String datepickerPath)
+ {
+ //allow any js, jpg, jpeg, png, or css under org/chenillekit/tapstry. The funky bit of ([^/.]+/)* is what allows
+ //multiple paths, while not allowing any of those paths to contains ./ or ../ thereby preventing paths like:
+ //org/chenillekit/tapestry/../../../foo.js
+ String pathPattern = "([^/.]+/)*[^/.]+\\.((css)|(js)|(jpg)|(jpeg)|(png)|(gif))$";
+ regex.add("^org/chenillekit/tapestry/" + pathPattern);
+
+ regex.add("^org/apache/tapestry5/" + pathPattern);
+
+ regex.add(blackbirdPath + "/" + pathPattern);
+ regex.add(datepickerPath + "/" + pathPattern);
+ regex.add(scriptPath + "/" + pathPattern);
+ //allow access to virtual assets. Critical for tapestry-combined js files.
+ regex.add("virtual/" + pathPattern);
+ }
+
}

Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java?rev=834151&r1=834150&r2=834151&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java Mon Nov 9 17:23:10 2009
@@ -257,4 +257,22 @@
{
configuration.add("ReverseStringsWorker", new ReverseStringsWorker());
}
+
+ public static void contributeRegexAuthorizer(Configuration<String> configuration) {
+ //use this rather than a blanket regex (^.*.jpg$, etc.); want to be sure that tests pass from the default
+ //configuration setup, (eg: this way, I realized that the "virtual" assets folder
+ //needed to be opened up in the tapestry-provided contributions) rather than from some blanket configuration in the appmodule
+ //opening up all css, js, etc. files.
+ //would contribute to whitelist except that the resource path between ctxt and the rest of the path can change.
+ configuration.add("^ctx/[^/]+/css/app\\.css$");
+ configuration.add("^ctx/[^/]+/layout/style\\.css$");
+ configuration.add("^ctx/[^/]+/layout/images/bg\\.gif$");
+ configuration.add("^ctx/[^/]+/layout/images/header\\.gif$");
+ configuration.add("^ctx/[^/]+/layout/images/rightsmall\\.gif$");
+ configuration.add("^ctx/[^/]+/layout/images/rightbig\\.gif$");
+ configuration.add("^ctx/[^/]+/layout/images/bottom\\.gif$");
+ configuration.add("^ctx/[^/]+/layout/images/footer\\.gif$");
+ configuration.add("^ctx/[^/]+/images/tapestry_banner\\.gif$");
+ configuration.add("^ctx/[^/]+/images/asf_logo_wide\\.gif$");
+ }
}

Added: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java?rev=834151&view=auto
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java (added)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/AssetProtectionDispatcherTest.java Mon Nov 9 17:23:10 2009
@@ -0,0 +1,92 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.internal.services;
+
+import static org.easymock.EasyMock.createMock;
+import static org.easymock.EasyMock.expect;
+import static org.easymock.EasyMock.*;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.tapestry5.internal.services.RequestConstants;
+import org.apache.tapestry5.internal.services.AssetProtectionDispatcher;
+import org.apache.tapestry5.services.ClasspathAssetAliasManager;
+import org.apache.tapestry5.services.Request;
+import org.apache.tapestry5.services.Response;
+import org.apache.tapestry5.services.AssetPathAuthorizer;
+import org.testng.Assert;
+import org.testng.annotations.Test;
+import org.slf4j.Logger;
+
+public class AssetProtectionDispatcherTest extends Assert
+{
+
+ @Test
+ public void ignores_nonassets() throws IOException
+ {
+ //shouldn't need any configuration here...
+ List<AssetPathAuthorizer> auths = Collections.emptyList();
+ Logger logger = createMock(Logger.class);
+ AssetProtectionDispatcher disp = new AssetProtectionDispatcher(auths,null,logger);
+ Request request = createMock(Request.class);
+ expect(request.getPath()).andReturn("start");
+ Response response = createMock(Response.class);
+ replay(request,response,logger);
+ assertFalse(disp.dispatch(request, response));
+ verify(request,response,logger);
+ }
+
+ @Test
+ public void checks_authorizers() throws IOException
+ {
+ Logger logger = createMock(Logger.class);
+ List<AssetPathAuthorizer> auths = new ArrayList<AssetPathAuthorizer>();
+ AssetPathAuthorizer auth = createMock(AssetPathAuthorizer.class);
+
+ expect(auth.order()).andReturn(Arrays.asList(AssetPathAuthorizer.Order.ALLOW, AssetPathAuthorizer.Order.DENY)).times(2);
+
+ expect(auth.accessAllowed("/cayenne.xml")).andReturn(false);
+ expect(auth.accessDenied("/cayenne.xml")).andReturn(true);
+ expect(auth.accessAllowed("/org/apache/tapestry/default.css")).andReturn(true);
+ auths.add(auth);
+
+ logger.debug("Denying access to /cayenne.xml");
+ logger.debug("Allowing access to /org/apache/tapestry/default.css");
+
+ Request request = createMock(Request.class);
+ Response response = createMock(Response.class);
+ expect(request.getPath()).andReturn(RequestConstants.ASSET_PATH_PREFIX + "/cayenne.xml");
+ expect(request.getPath()).andReturn(RequestConstants.ASSET_PATH_PREFIX + "/org/apache/tapestry/default.css");
+ response.sendError(HttpServletResponse.SC_FORBIDDEN, "/cayenne.xml");
+
+ ClasspathAssetAliasManager manager = createMock(ClasspathAssetAliasManager.class);
+ expect(manager.toResourcePath(RequestConstants.ASSET_PATH_PREFIX + "/cayenne.xml")).andReturn("/cayenne.xml");
+ expect(manager.toResourcePath(
+ RequestConstants.ASSET_PATH_PREFIX + "/org/apache/tapestry/default.css"))
+ .andReturn("/org/apache/tapestry/default.css");
+ replay(auth,request,response,manager,logger);
+ AssetProtectionDispatcher disp = new AssetProtectionDispatcher(auths,manager,logger);
+
+ assertTrue(disp.dispatch(request,response));
+ assertFalse(disp.dispatch(request, response));
+ verify(auth,request,response,logger);
+ }
+}

Added: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java?rev=834151&view=auto
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java (added)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/RegexAuthorizerTest.java Mon Nov 9 17:23:10 2009
@@ -0,0 +1,53 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package org.apache.tapestry5.internal.services;
+
+import java.util.Arrays;
+import java.util.List;
+
+import org.testng.Assert;
+import org.testng.annotations.Test;
+import org.apache.tapestry5.internal.services.RegexAuthorizer;
+
+public class RegexAuthorizerTest extends Assert
+{
+
+ @Test
+ public void test_regexes()
+ {
+ List<String> patterns = Arrays.asList("^.*\\.png$","^.*\\.jpg","^.*\\.jpeg");
+ RegexAuthorizer auth = new RegexAuthorizer(patterns);
+ String pkg = "assets/com/saiwaisolutions/resources/";
+ String png = pkg + "foo.png";
+ String jpg = pkg + "foo.jpg";
+ String jpeg = pkg + "foo.jpeg";
+ String xml = pkg + "foo.xml";
+ test(auth,png,true);
+ test(auth,jpg,true);
+ test(auth,jpeg,true);
+ test(auth,xml,false);
+ }
+
+ private static void test(RegexAuthorizer auth, String one,boolean allowed)
+ {
+ assertEquals(auth.accessAllowed(one),allowed);
+ assertEquals(
+ auth.accessAllowed(
+ "http://localhost:8080" + one),
+ allowed);
+ assertFalse(auth.accessDenied(one));
+ assertFalse(auth.accessDenied("http://localhost:8080" + one));
+ }
+}

Added: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java?rev=834151&view=auto
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java (added)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/WhitelistAuthorizerTest.java Mon Nov 9 17:23:10 2009
@@ -0,0 +1,45 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+/*
+ * Created on Jul 28, 2007
+ *
+ *
+ */
+package org.apache.tapestry5.internal.services;
+
+import java.util.Arrays;
+
+import org.testng.Assert;
+import org.testng.annotations.Test;
+import org.apache.tapestry5.internal.services.WhitelistAuthorizer;
+import org.apache.tapestry5.services.AssetPathAuthorizer;
+
+public class WhitelistAuthorizerTest extends Assert {
+
+ @Test
+ public void run()
+ {
+ WhitelistAuthorizer auth = new WhitelistAuthorizer(Arrays.asList("foo"));
+ assertEquals(auth.order().get(0), AssetPathAuthorizer.Order.ALLOW);
+ assertEquals(auth.order().get(1), AssetPathAuthorizer.Order.DENY);
+ assertEquals(auth.order().size(),2);
+ assertTrue(auth.accessAllowed("foo"));
+ assertFalse(auth.accessDenied("foo"));
+
+ assertFalse(auth.accessAllowed("bar"));
+ assertTrue(auth.accessDenied("bar"));
+ }
+
+}

Re: TemplateParseException: Tag <> on line xxx contains more than one 'y' attribute.

2009-11-09T08:52:48Z

Please take this to the users mailing list; this is the developer
list, used to discuss framework development (not user support). You'll
get a faster answer there.

On Mon, Nov 9, 2009 at 7:02 AM, Rayden30
<dmourereau.ext@...> wrote:

>
> Hello,
>
>
> First I m a beginer in Tapestry... Actually I m developping a webview which
> has to display an ordered array as below:
>
> Root 1
> Root 2
> Root 3
> |----Child1
> |----Child2
> |---Child 2.1
> |---Child 2.2
> ....
> ...
>
> My code in local working perfectly... However when I intrated in my tapestry
> application it idisplays the following exception:
>
> Tag <> on line 158 contains more than one 'valuebool' attribute.
>
> I checked on webview and there is no tags which are using this variable
> name. I try to rename in toto. And the results is the same:
>
> Below you can see the code:
>
> In bold where Apache detects an exception.
>
> function clear(result)
> {
>
> var res= result.replace('"','');
> var res= res.replace('"','');
> var res= res.replace('[','');
> var res= res.replace(']','');
> var res= res.replace('[','');
> var res= res.replace(']','');
>
> return res;
>
> }
> function who_is_root(tab_result)
> {
>
> var i=3;
> var root=new Array();
> var y=0;
> var valuebool;
> var z;
> while (i < tab_result.length)
> {
>
> var id_parent=clear(tab_result[i]);
> valuebool=false;
> z=1;
>
>
> while (z < tab_result.length)
> {
> if(clear(tab_result[z])==id_parent)
> {
> // An exception is up
>
> valuebool=true;
>
> }
> //Sometimes the exception is up for z variables
> z=z+4;
>
> }
>
> if (!valuebool)
> {
>
> root[y]=clear(tab_result[i-3]);
> root[y+1]=clear(tab_result[i-2]);
> root[y+2]=clear(tab_result[i-1]);
> root[y+3]=clear(tab_result[i]);
>
> y=y+4;
> }
>
> i=i+4;
>
> }
>
> return(root);
>
> }
>
> function afficher_enfant(id_root,y,result)
> {
>
>
>
> if (y <result.length)
> {
>
>
> if(id_root==clear(result[y]))
> {
> //Afficher l'enfant ci-dessous
> document.write("<tr>");
> document.write("<td>" + clear(result[y-3]) + "</td>");
> document.write("<td>" + clear(result[y-2]) + "</td>");
> document.write("<td>" + clear(result[y-1]) + "</td>");
> document.write("<td>" + clear(result[y]) + "</td>");
> document.write("</tr>");
>
> }
>
> y=y+4;
>
> afficher_enfant(id_root,y,result);
>
> }
>
> }
>
>
>
>
> function afficher_ma_config(code,result)
> {
> result=result.split(",");
> var tab_root=who_is_root(result);
>
> var i=1;
>
> document.write("<table align='center' class='tablesorter'>");
> document.write("<thead><tr ><td>Zone
> List</td></tr><tr><th>Name</th><th>ID</th><th>Type</th><th>Parents</th></tr></thead>");
> document.write("<tbody>");
>
> while(i<tab_root.length)
> {
>
> document.write("<tr>");
> document.write("<td>" + clear(tab_root[i-1]) + "</td>");
> document.write("<td>" + clear(tab_root[i]) + "</td>");
> document.write("<td>" + clear(tab_root[i+1]) + "</td>");
> document.write("<td>" + clear(tab_root[i+2]) + "</td>");
> document.write("</tr>");
> afficher_enfant(tab_root[i],3,result);
>
> i=i+4;
>
> }
>
> document.write("</tbody>");
> document.write("</table>");
>
> }
>
> var reqparam="http://10.192.168.2/zones/list";
>
>
> triggerAction('listrules',[reqparam],afficher_ma_config,'text/html');
>
>
> Thank you for answering to this question,
>
> I think this subject was already underlined in either part of this forum
>
> Best Regards,
>
>
> --
> View this message in context: http://old.nabble.com/TemplateParseException%3A-Tag-%3C%3E-on-line-xxx-contains-more-than-one-%27y%27-attribute.-tp26267695p26267695.html
> Sent from the Tapestry - Dev mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@...
> For additional commands, e-mail: dev-help@...
>
>

--
Howard M. Lewis Ship

Creator of Apache Tapestry

The source for Tapestry training, mentoring and support. Contact me to
learn how I can get you up and productive in Tapestry fast!

(971) 678-5210
http://howardlewisship.com

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@...
For additional commands, e-mail: dev-help@...

TemplateParseException: Tag <> on line xxx contains more than one 'y' attribute.

2009-11-09T07:01:28Z

Hello,

First I m a beginer in Tapestry... Actually I m developping a webview which has to display an ordered array as below:

Root 1
Root 2
Root 3
|----Child1
|----Child2
|---Child 2.1
|---Child 2.2
....
...

My code in local working perfectly... However when I intrated in my tapestry application it idisplays the following exception:

Tag <> on line 158 contains more than one 'valuebool' attribute.

I checked on webview and there is no tags which are using this variable name. I try to rename in toto. And the results is the same:

Below you can see the code:

In bold where Apache detects an exception.

function clear(result)
{

var res= result.replace('"','');
var res= res.replace('"','');
var res= res.replace('[','');
var res= res.replace(']','');
var res= res.replace('[','');
var res= res.replace(']','');

return res;

}
function who_is_root(tab_result)
{

var i=3;
var root=new Array();
var y=0;
var valuebool;
var z;
while (i < tab_result.length)
{

var id_parent=clear(tab_result[i]);
valuebool=false;
z=1;

while (z < tab_result.length)
{
if(clear(tab_result[z])==id_parent)
{
// An exception is up

valuebool=true;

}
//Sometimes the exception is up for z variables
z=z+4;

}

if (!valuebool)
{

root[y]=clear(tab_result[i-3]);
root[y+1]=clear(tab_result[i-2]);
root[y+2]=clear(tab_result[i-1]);
root[y+3]=clear(tab_result[i]);

y=y+4;
}

i=i+4;

}

return(root);

}

function afficher_enfant(id_root,y,result)
{

if (y <result.length)
{

if(id_root==clear(result[y]))
{
//Afficher l'enfant ci-dessous
document.write("<tr>");
document.write("<td>" + clear(result[y-3]) + "</td>");
document.write("<td>" + clear(result[y-2]) + "</td>");
document.write("<td>" + clear(result[y-1]) + "</td>");
document.write("<td>" + clear(result[y]) + "</td>");
document.write("</tr>");

}

y=y+4;

afficher_enfant(id_root,y,result);

}

}

function afficher_ma_config(code,result)
{
result=result.split(",");
var tab_root=who_is_root(result);

var i=1;

document.write("<table align='center' class='tablesorter'>");
document.write("<thead><tr ><td>Zone List</td></tr><tr><th>Name</th><th>ID</th><th>Type</th><th>Parents</th></tr></thead>");
document.write("<tbody>");

while(i<tab_root.length)
{

document.write("<tr>");
document.write("<td>" + clear(tab_root[i-1]) + "</td>");
document.write("<td>" + clear(tab_root[i]) + "</td>");
document.write("<td>" + clear(tab_root[i+1]) + "</td>");
document.write("<td>" + clear(tab_root[i+2]) + "</td>");
document.write("</tr>");
afficher_enfant(tab_root[i],3,result);

i=i+4;

}

document.write("</tbody>");
document.write("</table>");

}

var reqparam="http://10.192.168.2/zones/list";

triggerAction('listrules',[reqparam],afficher_ma_config,'text/html');

Thank you for answering to this question,

I think this subject was already underlined in either part of this forum

Best Regards,

[jira] Commented: (TAP5-633) Allow page classes to have a "Page" suffix that is not included in the URL

2009-11-09T04:36:32Z

[ https://issues.apache.org/jira/browse/TAP5-633?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774946#action_12774946 ]

Paul Field commented on TAP5-633:
---------------------------------

Thanks for the URL rewriting idea - I've tried it out quickly but I wasn't keen that I still had to use the Page postfix in the .tml files (e.g. when creating a link to the page) - I think that would be confusing.

I also had a quick go at advising ComponentClassResolver, but I realised that when Tapestry reports the list of known components (on startup and on exception pages) it would still list the paths including the "Page" postfix - which, again, I think would be confusing.

> Allow page classes to have a "Page" suffix that is not included in the URL
> --------------------------------------------------------------------------
>
> Key: TAP5-633
> URL: https://issues.apache.org/jira/browse/TAP5-633
> Project: Tapestry 5
> Issue Type: Improvement
> Components: tapestry-core
> Affects Versions: 5.1.0.2
> Reporter: Paul Field
> Priority: Minor
>
> I have an application with a lot of read-only pages. For example, I have a page that shows a company and I would like a URI such as: /company/1234
> However, if I name the page class "Company" then I get a naming clash with the domain object "Company". What I would like to do is call the Tapestry 5 class "CompanyPage" - after all, that is what the class represents and it's certainly how the team refers to that thing internally and with our business (i.e. "Have you seen the new company page?").
> So, please could the ComponentClassResolverImpl remove the suffix "Page" (if it exists) from the class name when it constructs the logical page name?

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

svn commit: r833930 - /tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Select.java

2009-11-08T13:32:01Z

Author: drobiazko
Date: Sun Nov 8 21:32:00 2009
New Revision: 833930

URL: http://svn.apache.org/viewvc?rev=833930&view=rev
Log:
TAP5-138: Add Zone parameter to Select component

Modified:
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Select.java

Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Select.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Select.java?rev=833930&r1=833929&r2=833930&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Select.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Select.java Sun Nov 8 21:32:00 2009
@@ -128,6 +128,13 @@
@Parameter(required = true, principal = true, autoconnect = true)
private Object value;

+ /**
+ * Binding the zone parameter will cause any change of Select's value to be handled as an Ajax request that updates the
+ * indicated zone. The component will trigger the event {@link EventConstants#VALUE_CHANGED} to inform its
+ * container that Select's value has changed.
+ *
+ * @since 5.2.0.0
+ */
@Parameter(defaultPrefix = BindingConstants.LITERAL)
private String zone;

[jira] Updated: (TAP5-734) Tapestry tutorial documentation refers to old archtype command

2009-11-08T13:25:32Z

[ https://issues.apache.org/jira/browse/TAP5-734?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Igor Drobiazko updated TAP5-734:
--------------------------------

Fix Version/s: (was: 5.2)
5.2.0.0
Affects Version/s: (was: 5.1.0.5)
(was: 5.2)
5.2.0.0

> Tapestry tutorial documentation refers to old archtype command
> --------------------------------------------------------------
>
> Key: TAP5-734
> URL: https://issues.apache.org/jira/browse/TAP5-734
> Project: Tapestry 5
> Issue Type: Bug
> Components: documentation
> Affects Versions: 5.2.0.0
> Reporter: Ben Gidley
> Assignee: Ted Steen
> Fix For: 5.2.0.0
>
> Attachments: 0001-Fixed-archetype-line.patch
>
>
> The tapestry tutorial build instructions refer to the old archtype command

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (TAP5-819) remove ide-specific files from all sub-modules and add them to svn:ignore

2009-11-08T13:23:32Z

[ https://issues.apache.org/jira/browse/TAP5-819?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Igor Drobiazko updated TAP5-819:
--------------------------------

Fix Version/s: (was: 5.2)
5.2.0.0

> remove ide-specific files from all sub-modules and add them to svn:ignore
> -------------------------------------------------------------------------
>
> Key: TAP5-819
> URL: https://issues.apache.org/jira/browse/TAP5-819
> Project: Tapestry 5
> Issue Type: Task
> Reporter: Ulrich Stärk
> Assignee: Kevin Menard
> Priority: Minor
> Fix For: 5.2.0.0
>
>
> remove ide-specific files from all sub-modules and add them to svn:ignore, along with any output directories like target.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (TAP5-807) PageRenderLinkSource should add additional methods for creating a Link when you have the page's activation context as an EventContext

2009-11-08T13:23:32Z

[ https://issues.apache.org/jira/browse/TAP5-807?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Igor Drobiazko updated TAP5-807:
--------------------------------

Fix Version/s: (was: 5.2)
5.2.0.0

> PageRenderLinkSource should add additional methods for creating a Link when you have the page's activation context as an EventContext
> -------------------------------------------------------------------------------------------------------------------------------------
>
> Key: TAP5-807
> URL: https://issues.apache.org/jira/browse/TAP5-807
> Project: Tapestry 5
> Issue Type: Improvement
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: Howard M. Lewis Ship
> Assignee: Ted Steen
> Priority: Minor
> Fix For: 5.2.0.0
>
>

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (TAP5-764) Hidden should support ClientElement and support informal parameters.

2009-11-08T13:23:32Z

[ https://issues.apache.org/jira/browse/TAP5-764?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Igor Drobiazko updated TAP5-764:
--------------------------------

Fix Version/s: (was: 5.2)
5.2.0.0

> Hidden should support ClientElement and support informal parameters.
> --------------------------------------------------------------------
>
> Key: TAP5-764
> URL: https://issues.apache.org/jira/browse/TAP5-764
> Project: Tapestry 5
> Issue Type: Improvement
> Affects Versions: 5.1.0.5
> Reporter: Norman Franke
> Assignee: Ted Steen
> Fix For: 5.2.0.0
>
>
> Per our discussion on the mailing list:
> The hidden component needs to support ClientElement and it should pass through informal parameters, e.g. "id".

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Closed: (TAP5-138) Add Zone parameter to Select component

2009-11-08T13:21:32Z

[ https://issues.apache.org/jira/browse/TAP5-138?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Igor Drobiazko closed TAP5-138.
-------------------------------

Resolution: Fixed
Fix Version/s: 5.2.0.0

> Add Zone parameter to Select component
> --------------------------------------
>
> Key: TAP5-138
> URL: https://issues.apache.org/jira/browse/TAP5-138
> Project: Tapestry 5
> Issue Type: New Feature
> Affects Versions: 5.0.15
> Reporter: Geoff Callender
> Assignee: Igor Drobiazko
> Fix For: 5.2.0.0
>
>
> Add AJAX ability to selection in a Select component to allow the classic chaining of Select components.
> Eg. for filtering car advertisements: 3 Select components - Brand, Make, Model. Choosing a Brand causes the Make to be enabled, showing the possible makes. Similarly, choosing a Make causes the Model to be enabled, showing the possible models.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Closed: (TAP5-896) Contribute 'properties' file extension to the configuration of ResourceDigestGenerator

2009-11-08T13:21:32Z

[ https://issues.apache.org/jira/browse/TAP5-896?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Igor Drobiazko closed TAP5-896.
-------------------------------

Resolution: Fixed
Fix Version/s: 5.2.0.0

> Contribute 'properties' file extension to the configuration of ResourceDigestGenerator
> --------------------------------------------------------------------------------------
>
> Key: TAP5-896
> URL: https://issues.apache.org/jira/browse/TAP5-896
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: Igor Drobiazko
> Assignee: Igor Drobiazko
> Priority: Blocker
> Fix For: 5.2.0.0
>
>
> This is a partly solution for TAP5-815 (only for *.properties files).

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (TAP5-913) java.lang.VerifyError Stack size too large

2009-11-08T13:21:32Z

[ https://issues.apache.org/jira/browse/TAP5-913?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Igor Drobiazko updated TAP5-913:
--------------------------------

Fix Version/s: (was: 5.2)
5.2.0.0
Affects Version/s: (was: 5.2)
5.2.0.0

> java.lang.VerifyError Stack size too large
> ------------------------------------------
>
> Key: TAP5-913
> URL: https://issues.apache.org/jira/browse/TAP5-913
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.2.0.0
> Reporter: Dmitry Gusev
> Assignee: Kevin Menard
> Fix For: 5.2.0.0
>
> Attachments: 0001-Fixes-java.lang.VerifyError-Stack-size-too-large.patch
>
>
> java.lang.VerifyError: (class: org/apache/tapestry5/internal/antlr/PropertyExpressionLexer, method: mDECIMAL signature: ()V) Stack size too large
> This error could be with mDECIMAL method as well as with mRANGEOP, mINTEGER, mREDEF
> As I found out this might be because of unnecessary code: http://forums.terracotta.org/forums/posts/list/872.page
> -------
> Windows Vista 32
> Google AppEngine SDK 1.2.6
> java version "1.6.0_15"
> Java(TM) SE Runtime Environment (build 1.6.0_15-b03)
> Java HotSpot(TM) Client VM (build 14.1-b02, mixed mode, sharing)
> Stack trace:
> HTTP ERROR: 500
> (class: org/apache/tapestry5/internal/antlr/PropertyExpressionLexer, method: mDECIMAL signature: ()V) Stack size too large
> RequestURI=/welcome
> Caused by:
> java.lang.VerifyError: (class: org/apache/tapestry5/internal/antlr/PropertyExpressionLexer, method: mDECIMAL signature: ()V) Stack size too large
> at org.apache.tapestry5.internal.services.PropertyConduitSourceImpl.parse(PropertyConduitSourceImpl.java:1230)
> at org.apache.tapestry5.internal.services.PropertyConduitSourceImpl.build(PropertyConduitSourceImpl.java:1125)
> at org.apache.tapestry5.internal.services.PropertyConduitSourceImpl.create(PropertyConduitSourceImpl.java:1081)
> at $PropertyConduitSource_1249b3a8cbc.create($PropertyConduitSource_1249b3a8cbc.java)
> at org.apache.tapestry5.internal.bindings.PropBindingFactory.newBinding(PropBindingFactory.java:49)
> at $BindingFactory_1249b3a8cbd.newBinding($BindingFactory_1249b3a8cbd.java)
> at $BindingFactory_1249b3a8cb5.newBinding($BindingFactory_1249b3a8cb5.java)
> at org.apache.tapestry5.internal.services.BindingSourceImpl.newBinding(BindingSourceImpl.java:81)
> at $BindingSource_1249b3a8c93.newBinding($BindingSource_1249b3a8c93.java)
> at org.apache.tapestry5.internal.services.PageElementFactoryImpl.newBinding(PageElementFactoryImpl.java:184)
> at $PageElementFactory_1249b3a8caf.newBinding($PageElementFactory_1249b3a8caf.java)
> at org.apache.tapestry5.internal.pageload.PageLoaderImpl$10.execute(PageLoaderImpl.java:859)
> at org.apache.tapestry5.internal.pageload.ComponentAssemblerImpl.runActions(ComponentAssemblerImpl.java:207)
> at org.apache.tapestry5.internal.pageload.ComponentAssemblerImpl.assembleRootComponent(ComponentAssemblerImpl.java:88)
> at org.apache.tapestry5.internal.pageload.PageLoaderImpl.loadPage(PageLoaderImpl.java:159)
> at $PageLoader_1249b3a8ca0.loadPage($PageLoader_1249b3a8ca0.java)
> at org.apache.tapestry5.internal.services.PagePoolCache.checkout(PagePoolCache.java:210)
> at org.apache.tapestry5.internal.services.PagePoolImpl.checkout(PagePoolImpl.java:99)
> at $PagePool_1249b3a8c9f.checkout($PagePool_1249b3a8c9f.java)
> at org.apache.tapestry5.internal.services.RequestPageCacheImpl.get(RequestPageCacheImpl.java:51)
> at $RequestPageCache_1249b3a8c9e.get($RequestPageCache_1249b3a8c9e.java)
> at $RequestPageCache_1249b3a8c86.get($RequestPageCache_1249b3a8c86.java)
> at org.apache.tapestry5.internal.services.DefaultRequestExceptionHandler.handleRequestException(DefaultRequestExceptionHandler.java:69)
> at $RequestExceptionHandler_1249b3a8c71.handleRequestException($RequestExceptionHandler_1249b3a8c71.java)
> at org.apache.tapestry5.internal.services.RequestErrorFilter.service(RequestErrorFilter.java:42)
> at $RequestHandler_1249b3a8c73.service($RequestHandler_1249b3a8c73.java)
> at org.apache.tapestry5.services.TapestryModule$4.service(TapestryModule.java:791)
> at $RequestHandler_1249b3a8c73.service($RequestHandler_1249b3a8c73.java)
> at org.apache.tapestry5.services.TapestryModule$3.service(TapestryModule.java:780)
> at $RequestHandler_1249b3a8c73.service($RequestHandler_1249b3a8c73.java)
> at org.apache.tapestry5.internal.services.StaticFilesFilter.service(StaticFilesFilter.java:85)
> at $RequestHandler_1249b3a8c73.service($RequestHandler_1249b3a8c73.java)
> at dmitrygusev.ping.services.AppModule$1.service(AppModule.java:138)
> at $RequestFilter_1249b3a8c6d.service($RequestFilter_1249b3a8c6d.java)
> at $RequestHandler_1249b3a8c73.service($RequestHandler_1249b3a8c73.java)
> at dmitrygusev.ping.services.AppModule$2.service(AppModule.java:190)
> at $RequestFilter_1249b3a8c6e.service($RequestFilter_1249b3a8c6e.java)
> at $RequestHandler_1249b3a8c73.service($RequestHandler_1249b3a8c73.java)
> at org.apache.tapestry5.internal.services.CheckForUpdatesFilter$2.invoke(CheckForUpdatesFilter.java:90)
> at org.apache.tapestry5.internal.services.CheckForUpdatesFilter$2.invoke(CheckForUpdatesFilter.java:80)
> at org.apache.tapestry5.ioc.internal.util.ConcurrentBarrier.withRead(ConcurrentBarrier.java:85)
> at org.apache.tapestry5.internal.services.CheckForUpdatesFilter.service(CheckForUpdatesFilter.java:103)
> at $RequestHandler_1249b3a8c73.service($RequestHandler_1249b3a8c73.java)
> at $RequestHandler_1249b3a8c67.service($RequestHandler_1249b3a8c67.java)
> at org.apache.tapestry5.services.TapestryModule$HttpServletRequestHandlerTerminator.service(TapestryModule.java:199)
> at org.apache.tapestry5.internal.gzip.GZipFilter.service(GZipFilter.java:53)
> at $HttpServletRequestHandler_1249b3a8c69.service($HttpServletRequestHandler_1249b3a8c69.java)
> at org.apache.tapestry5.internal.services.IgnoredPathsFilter.service(IgnoredPathsFilter.java:62)
> at $HttpServletRequestFilter_1249b3a8c66.service($HttpServletRequestFilter_1249b3a8c66.java)
> at $HttpServletRequestHandler_1249b3a8c69.service($HttpServletRequestHandler_1249b3a8c69.java)
> at org.apache.tapestry5.services.TapestryModule$2.service(TapestryModule.java:739)
> at $HttpServletRequestHandler_1249b3a8c69.service($HttpServletRequestHandler_1249b3a8c69.java)
> at $HttpServletRequestHandler_1249b3a8c64.service($HttpServletRequestHandler_1249b3a8c64.java)
> at org.apache.tapestry5.TapestryFilter.doFilter(TapestryFilter.java:127)
> at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
> at com.google.apphosting.utils.servlet.TransactionCleanupFilter.doFilter(TransactionCleanupFilter.java:43)
> at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
> at com.google.appengine.tools.development.StaticFileFilter.doFilter(StaticFileFilter.java:121)
> at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
> at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
> at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
> at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
> at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:712)
> at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
> at com.google.apphosting.utils.jetty.DevAppEngineWebAppContext.handle(DevAppEngineWebAppContext.java:54)
> at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
> at com.google.appengine.tools.development.JettyContainerService$ApiProxyHandler.handle(JettyContainerService.java:342)
> at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
> at org.mortbay.jetty.Server.handle(Server.java:313)
> at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:506)
> at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:830)
> at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:514)
> at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
> at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:381)
> at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:396)
> at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)
> Powered by Jetty://

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

svn commit: r833929 - /tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java

2009-11-08T13:19:25Z

Author: drobiazko
Date: Sun Nov 8 21:19:23 2009
New Revision: 833929

URL: http://svn.apache.org/viewvc?rev=833929&view=rev
Log:
TAP5-896: Contribute 'properties' file extension to the configuration of ResourceDigestGenerator

Modified:
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java

Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java?rev=833929&r1=833928&r2=833929&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java Sun Nov 8 21:19:23 2009
@@ -1979,7 +1979,7 @@
* <p/>
* The extensions must be all lower case.
* <p/>
- * This contributes "class" and "tml" (the template extension).
+ * This contributes "class", "properties" and "tml" (the template extension).
*
* @param configuration collection of extensions
*/
@@ -1988,6 +1988,9 @@
// Java class files always require a digest.
configuration.add("class");

+ // Even though properties don't contain sensible data we should protect them.
+ configuration.add("properties");
+
// Likewise, we don't want people fishing for templates.
configuration.add(InternalConstants.TEMPLATE_EXTENSION);
}

svn commit: r833928 - in /tapestry/tapestry5/trunk/tapestry-core/src: main/java/org/apache/tapestry5/ main/java/org/apache/tapestry5/corelib/components/ main/resources/org/apache/tapestry5/ test/app1/ test/java/org/apache/tapestry5/integration/ test/ja...

2009-11-08T13:16:57Z

Author: drobiazko
Date: Sun Nov 8 21:16:52 2009
New Revision: 833928

URL: http://svn.apache.org/viewvc?rev=833928&view=rev
Log:
TAP5-138: Add Zone parameter to Select component

Added:
tapestry/tapestry5/trunk/tapestry-core/src/test/app1/SelectZoneDemo.tml
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/data/CarMaker.java (with props)
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/SelectZoneDemo.java (with props)
Modified:
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/EventConstants.java
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Select.java
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Select.xdoc
tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/tapestry.js
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java

Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/EventConstants.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/EventConstants.java?rev=833928&r1=833927&r2=833928&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/EventConstants.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/EventConstants.java Sun Nov 8 21:16:52 2009
@@ -144,9 +144,17 @@

/**
* Event triggered by an {@link org.apache.tapestry5.corelib.mixins.Autocomplete} mixin to request completions of
- * the current input. The context is the partial string provided by the cient.
+ * the current input. The context is the partial string provided by the client.
*
* @SINCE 5.1.0.4
*/
public static final String PROVIDE_COMPLETIONS = "providecompletions";
+
+ /**
+ * Event triggered by {@link org.apache.tapestry5.corelib.components.Select} component to inform its
+ * container that Select's value has changed.
+ *
+ * @since 5.2.0.0
+ */
+ public static final String VALUE_CHANGED = "valuechanged";
}

Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Select.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Select.java?rev=833928&r1=833927&r2=833928&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Select.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Select.java Sun Nov 8 21:16:52 2009
@@ -18,14 +18,22 @@
import org.apache.tapestry5.annotations.*;
import org.apache.tapestry5.corelib.base.AbstractField;
import org.apache.tapestry5.corelib.data.BlankOption;
+import org.apache.tapestry5.corelib.internal.ComponentActionSink;
+import org.apache.tapestry5.corelib.internal.HiddenFieldPositioner;
import org.apache.tapestry5.corelib.mixins.RenderDisabled;
import org.apache.tapestry5.internal.TapestryInternalUtils;
+import org.apache.tapestry5.internal.services.PageRenderQueue;
+import org.apache.tapestry5.internal.util.Holder;
import org.apache.tapestry5.internal.util.SelectModelRenderer;
import org.apache.tapestry5.ioc.Messages;
import org.apache.tapestry5.ioc.annotations.Inject;
+import org.apache.tapestry5.ioc.internal.util.IdAllocator;
import org.apache.tapestry5.ioc.internal.util.InternalUtils;
+import org.apache.tapestry5.json.JSONArray;
+import org.apache.tapestry5.json.JSONObject;
import org.apache.tapestry5.services.*;
import org.apache.tapestry5.util.EnumSelectModel;
+import org.slf4j.Logger;

import java.util.Locale;

@@ -39,9 +47,12 @@
* can be overriden by binding the encoder parameter, or extended by contributing a {@link ValueEncoderFactory} into the
* service's configuration.
*/
-@Events(EventConstants.VALIDATE)
+@Events({EventConstants.VALIDATE, EventConstants.VALUE_CHANGED + " when 'zone' parameter is bound"})
public class Select extends AbstractField
{
+ public static final String FORM_COMPONENTID_PARAMETER = "t:formcomponentid";
+ public static final String CHANGE_EVENT = "change";
+
private class Renderer extends SelectModelRenderer
{

@@ -116,9 +127,39 @@
*/
@Parameter(required = true, principal = true, autoconnect = true)
private Object value;
+
+ @Parameter(defaultPrefix = BindingConstants.LITERAL)
+ private String zone;

@Inject
private FieldValidationSupport fieldValidationSupport;
+
+ @Environmental
+ private FormSupport formSupport;
+
+ @Inject
+ private Environment environment;
+
+ @Inject
+ private RenderSupport renderSupport;
+
+ @Inject
+ private ComponentResources componentResources;
+
+ @Inject
+ private HiddenFieldLocationRules rules;
+
+ @Inject
+ private Logger logger;
+
+ @Inject
+ private ClientDataEncoder clientDataEncoder;
+
+ @Inject
+ private ComponentSource componentSource;
+
+ @Inject
+ private PageRenderQueue pageRenderQueue;

@SuppressWarnings("unused")
@Mixin
@@ -139,9 +180,7 @@

tracker.recordInput(this, submittedValue);

- Object selectedValue = InternalUtils.isBlank(submittedValue)
- ? null :
- encoder.toValue(submittedValue);
+ Object selectedValue = toValue(submittedValue);

try
{
@@ -169,6 +208,83 @@
resources.renderInformalParameters(writer);

// Disabled is via a mixin
+
+ if (this.zone != null)
+ {
+ final Link link = this.resources.createEventLink(CHANGE_EVENT);
+
+ link.addParameter(FORM_COMPONENTID_PARAMETER, this.formSupport.getFormComponentId());
+
+ final JSONArray spec = new JSONArray();
+ spec.put("change");
+ spec.put(getClientId());
+ spec.put(this.zone);
+ spec.put(link.toAbsoluteURI());
+
+ this.renderSupport.addInit("updateZoneOnEvent", spec);
+ }
+ }
+
+ Object onChange()
+ {
+ final String formId = this.request.getParameter(FORM_COMPONENTID_PARAMETER);
+
+ final String changedValue = this.request.getParameter("t:selectvalue");
+
+ final Object newValue = toValue(changedValue);
+
+ final Holder<Object> holder = Holder.create();
+
+ final ComponentEventCallback callback = new ComponentEventCallback()
+ {
+ public boolean handleResult(final Object result)
+ {
+
+ holder.put(result);
+
+ Select.this.value = newValue;
+
+ return true;
+ }
+ };
+
+ this.componentResources.triggerEvent(EventConstants.VALUE_CHANGED, new Object[] { newValue }, callback);
+
+ final PartialMarkupRendererFilter filter = new PartialMarkupRendererFilter()
+ {
+ public void renderMarkup(MarkupWriter writer, JSONObject reply, PartialMarkupRenderer renderer)
+ {
+
+ HiddenFieldPositioner hiddenFieldPositioner = new HiddenFieldPositioner(writer, Select.this.rules);
+
+ final ComponentActionSink actionSink = new ComponentActionSink(Select.this.logger, Select.this.clientDataEncoder);
+
+ final Form form = (Form) Select.this.componentSource.getComponent(formId);
+
+ FormSupport formSupport = form.createRenderTimeFormSupport(form.getClientId(), actionSink, new IdAllocator());
+
+ Select.this.environment.push(FormSupport.class, formSupport);
+ Select.this.environment.push(ValidationTracker.class, new ValidationTrackerImpl());
+
+ renderer.renderMarkup(writer, reply);
+
+ Select.this.environment.pop(ValidationTracker.class);
+ Select.this.environment.pop(FormSupport.class);
+
+ hiddenFieldPositioner.getElement().attributes("type", "hidden", "name", Form.FORM_DATA,
+ "value", actionSink.getClientData());
+
+ }
+ };
+
+ this.pageRenderQueue.addPartialMarkupRendererFilter(filter);
+
+ return holder.get();
+ }
+
+ protected Object toValue(final String submittedValue)
+ {
+ return InternalUtils.isBlank(submittedValue) ? null : this.encoder.toValue(submittedValue);
}

@SuppressWarnings("unchecked")

Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Select.xdoc
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Select.xdoc?rev=833928&r1=833927&r2=833928&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Select.xdoc (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/corelib/components/Select.xdoc Sun Nov 8 21:16:52 2009
@@ -170,6 +170,120 @@
</subsection>

</section>
+
+ <section name="Chaining of Select components">
+ There is often a requirement for chaining Select components. When a value of a Select component is changed
+ another Select should become visible. Let's consider the following example: you create an online shop for a car seller.
+ A make is modeled as enumeration CarMaker.
+
+ <subsection name="CarMaker.java">
+ <source><![CDATA[
+public enum CarMaker
+{
+ MERCEDES, AUDI, BMW;
+}]]></source>
+ </subsection>
+
+ <subsection name="SelectZoneDemo.tml">
+ The Select component 'carMaker' of the page SelectZoneDemo shows all available car makers.
+ When a user selects a car maker, another Select component for selecting available models of the make should appear.
+ This can be accomplished by the parameter <em>zone</em> of the Select component 'carMaker'. When <em>zone</em> parameter is bound
+ every change of the Select's value causes an ajax request. In this case the Select component publishes the event <em>valuechanged</em> which can
+ be used to provide the <em>model</em> for the second Select component.
+ <source><![CDATA[
+<html xmlns:t="http://tapestry.apache.org/schema/tapestry_5_1_0.xsd">
+ <t:form>
+ <p>
+ <t:errors />
+ </p>
+ <p>
+ <t:select t:id="carMaker" validate="required"
+ model="makeModel" zone="modelZone" encoder="makeEncoder" />
+ </p>
+
+ <t:zone t:id="modelZone">
+ <t:if test="carMaker">
+ <t:delegate to="modelBlock" />
+ </t:if>
+ </t:zone>
+
+ <t:block id="modelBlock">
+ <p>
+ <t:select t:id="carModel" model="availableModels" validate="required"/>
+ </p>
+ </t:block>
+
+ <p>
+ <t:submit value="literal:Submit" />
+ </p>
+ </t:form>
+
+</html>]]></source>
+ </subsection>
+
+ <subsection name="SelectZoneDemo.java">
+ The event handler method for the event <em>valuechanged</em> is used to provide the available car models of the currently selected car maker.
+ The new Select's value is passed as context.
+ <source><![CDATA[
+public class SelectZoneDemo
+{
+
+ @Inject
+ private Messages messages;
+
+ @Property
+ @Persist
+ private CarMaker carMaker;
+
+ @Property
+ @Persist
+ private String carModel;
+
+ @Inject
+ @Property
+ private Block modelBlock;
+
+ @Property
+ @Persist
+ private List<String> availableModels;
+
+ public Object onValueChanged(final CarMaker maker)
+ {
+ availableModels = findAvailableModels(maker);
+
+ return this.modelBlock;
+ }
+
+ public List<String> findAvailableModels(final CarMaker maker)
+ {
+ switch (maker)
+ {
+ case AUDI:
+ return Arrays.asList("A4", "A6", "A8");
+ case BMW:
+ return Arrays.asList("3 Series", "5 Series", "7 Series");
+ case MERCEDES:
+ return Arrays.asList("C-Class", "E-Class", "S-Class");
+ default:
+ return Arrays.asList();
+ }
+ }
+
+ public SelectModel getMakeModel()
+ {
+ return new EnumSelectModel(CarMaker.class, this.messages);
+ }
+
+ public ValueEncoder<CarMaker> getMakeEncoder()
+ {
+ return new EnumValueEncoder<CarMaker>(CarMaker.class);
+ }
+
+}]]></source>
+
+ </subsection>
+
+ </section>

</body>
</document>
\ No newline at end of file

Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/tapestry.js
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/tapestry.js?rev=833928&r1=833927&r2=833928&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/tapestry.js (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/resources/org/apache/tapestry5/tapestry.js Sun Nov 8 21:16:52 2009
@@ -763,6 +763,11 @@
*/
linkZone : function(element, zoneId, url)
{
+ Tapestry.Initializer.updateZoneOnEvent("click", element, zoneId, url);
+ },
+
+ updateZoneOnEvent : function(eventName, element, zoneId, url)
+ {
element = $(element);

// Update the element with the id of zone div. This may be changed dynamically on the client
@@ -799,17 +804,24 @@
return;
}

- // Otherwise, assume it's just an ordinary link.
+ // Otherwise, assume it's just an ordinary link or input field.

- element.observe("click", function(event)
+ element.observe(eventName, function(event)
{
Event.stop(event);

var zoneObject = Tapestry.findZoneManager(element);

if (!zoneObject) return;
+
+ var newUrl = url;
+
+ if(element.tagName == "SELECT" && element.value)
+ {
+ newUrl+='&t:selectvalue='+element.value;
+ }

- zoneObject.updateFromURL(url);
+ zoneObject.updateFromURL(newUrl);
});
},

Added: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/SelectZoneDemo.tml
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/SelectZoneDemo.tml?rev=833928&view=auto
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/SelectZoneDemo.tml (added)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/SelectZoneDemo.tml Sun Nov 8 21:16:52 2009
@@ -0,0 +1,30 @@
+<t:border xmlns:t="http://tapestry.apache.org/schema/tapestry_5_1_0.xsd">
+ <p>Car Maker: ${carMaker}</p>
+ <p>Car Model: ${carModel}</p>
+ <t:form>
+ <p>
+ <t:errors />
+ </p>
+ <p>
+ <t:select t:id="carMaker" validate="required"
+ model="makeModel" zone="modelZone" encoder="makeEncoder" />
+ </p>
+
+ <t:zone t:id="modelZone">
+ <t:if test="carMaker">
+ <t:delegate to="modelBlock" />
+ </t:if>
+ </t:zone>
+
+ <t:block id="modelBlock">
+ <p id="carModelContainer">
+ <t:select t:id="carModel" model="availableModels" validate="required" blankOption="always" />
+ </p>
+ </t:block>
+
+ <p>
+ <t:submit value="literal:Submit" />
+ </p>
+ </t:form>
+
+</t:border>
\ No newline at end of file

Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java?rev=833928&r1=833927&r2=833928&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java Sun Nov 8 21:16:52 2009
@@ -2318,6 +2318,15 @@

waitForCondition(condition, PAGE_LOAD_TIMEOUT);
}
+
+ private void waitForElementToDisappear(String elementId)
+ {
+
+ String condition = String.format("selenium.browserbot.getCurrentWindow().$(\"%s\").hide()",
+ elementId);
+
+ waitForCondition(condition, PAGE_LOAD_TIMEOUT);
+ }

/**
@@ -3173,4 +3182,47 @@

assertText("eventfired", "true");
}
+
+ /**
+ * TAP5-138
+ */
+ @Test
+ public void select_zone()
+ {
+ start("Select Zone Demo");
+
+ type("carMaker", "BMW");
+
+ waitForElementToAppear("carModelContainer");
+
+ click(SUBMIT);
+
+ String condition = String.format("selenium.browserbot.getCurrentWindow().$$(\"%s\")", "t-error-popup");
+
+ waitForCondition(condition, PAGE_LOAD_TIMEOUT);
+
+ assertText(String.format("//div[@class='%s']/span", "t-error-popup"), "You must provide a value for Car Model.");
+
+ type("carModel", "7 Series");
+
+ clickAndWait(SUBMIT);
+
+ assertTextPresent("Car Maker: BMW");
+
+ assertTextPresent("Car Model: 7 Series");
+
+ waitForElementToDisappear("carModelContainer");
+
+ type("carMaker", "MERCEDES");
+
+ waitForElementToAppear("carModelContainer");
+
+ type("carModel", "E-Class");
+
+ clickAndWait(SUBMIT);
+
+ assertTextPresent("Car Maker: MERCEDES");
+
+ assertTextPresent("Car Model: E-Class");
+ }
}

Added: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/data/CarMaker.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/data/CarMaker.java?rev=833928&view=auto
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/data/CarMaker.java (added)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/data/CarMaker.java Sun Nov 8 21:16:52 2009
@@ -0,0 +1,19 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package org.apache.tapestry5.integration.app1.data;
+
+public enum CarMaker
+{
+ MERCEDES, AUDI, BMW;
+}

Propchange: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/data/CarMaker.java
------------------------------------------------------------------------------
svn:eol-style = native

Propchange: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/data/CarMaker.java
------------------------------------------------------------------------------
svn:mime-type = text/plain

Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java?rev=833928&r1=833927&r2=833928&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/Index.java Sun Nov 8 21:16:52 2009
@@ -387,9 +387,11 @@
new Item("BeanEditCalendarDemo", "BeanEditor / Calendar Demo",
"Use of calendar properties inside BeanEditor and BeanDisplay"),

- new Item("TriggerDemo", "Trigger Demo",
- "Use of Trigger component"),
- new Item("ImageSubmitDemo", "Submit with an Image Demo", "Make sure that submit with the image parameter set triggers the 'selected' event.")
+ new Item("TriggerDemo", "Trigger Demo", "Use of Trigger component"),
+
+ new Item("ImageSubmitDemo", "Submit with an Image Demo", "Make sure that submit with the image parameter set triggers the 'selected' event."),
+
+ new Item("SelectZoneDemo", "Select Zone Demo", "Use a Select component to update a zone.")

);

Added: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/SelectZoneDemo.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/SelectZoneDemo.java?rev=833928&view=auto
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/SelectZoneDemo.java (added)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/SelectZoneDemo.java Sun Nov 8 21:16:52 2009
@@ -0,0 +1,84 @@
+// Copyright 2009 The Apache Software Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package org.apache.tapestry5.integration.app1.pages;
+
+import java.util.Arrays;
+import java.util.List;
+
+import org.apache.tapestry5.Block;
+import org.apache.tapestry5.SelectModel;
+import org.apache.tapestry5.ValueEncoder;
+import org.apache.tapestry5.annotations.Persist;
+import org.apache.tapestry5.annotations.Property;
+import org.apache.tapestry5.integration.app1.data.CarMaker;
+import org.apache.tapestry5.ioc.Messages;
+import org.apache.tapestry5.ioc.annotations.Inject;
+import org.apache.tapestry5.util.EnumSelectModel;
+import org.apache.tapestry5.util.EnumValueEncoder;
+
+public class SelectZoneDemo
+{
+
+ @Inject
+ private Messages messages;
+
+ @Property
+ @Persist
+ private CarMaker carMaker;
+
+ @Property
+ @Persist
+ private String carModel;
+
+ @Inject
+ @Property
+ private Block modelBlock;
+
+ @Property
+ @Persist
+ private List<String> availableModels;
+
+ public Object onValueChanged(final CarMaker maker)
+ {
+ availableModels = findAvailableModels(maker);
+
+ return this.modelBlock;
+ }
+
+ public List<String> findAvailableModels(final CarMaker maker)
+ {
+ switch (maker)
+ {
+ case AUDI:
+ return Arrays.asList("A4", "A6", "A8");
+ case BMW:
+ return Arrays.asList("3 Series", "5 Series", "7 Series");
+ case MERCEDES:
+ return Arrays.asList("C-Class", "E-Class", "S-Class");
+ default:
+ return Arrays.asList();
+ }
+ }
+
+ public SelectModel getMakeModel()
+ {
+ return new EnumSelectModel(CarMaker.class, this.messages);
+ }
+
+ public ValueEncoder<CarMaker> getMakeEncoder()
+ {
+ return new EnumValueEncoder<CarMaker>(CarMaker.class);
+ }
+
+}

Propchange: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/SelectZoneDemo.java
------------------------------------------------------------------------------
svn:eol-style = native

Propchange: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/pages/SelectZoneDemo.java
------------------------------------------------------------------------------
svn:mime-type = text/plain