Tynamo

provide a configuration to block access to assets (like the AssetProtectionDispatcher)

Details

  • Type: New Feature New Feature
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Won't Fix
  • Affects Version/s: None
  • Fix Version/s: security-0.4.5
  • Component/s: None
  • Labels:
    None
  • Number of attachments :
    0

Description


provide a configuration to block access to assets (like the AssetProtectionDispatcher)

Issue Links

depends upon

Improvement - An improvement or enhancement to an existing feature or task. TYNAMO-161 add a PatternMatcher field to SecurityFilterChain

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Activity

Hide
Permalink
Alejandro Scandroli added a comment -

Here is one solution:

public class AssetProtectionModule {

	public static void contributeSecurityConfiguration(Configuration<SecurityFilterChain> configuration,
	                                                   @Symbol(SymbolConstants.ASSET_PATH_PREFIX) final String assetPathPrefix,
	                                                   SecurityFilterChainFactory factory) {

		configuration.add(factory.createChainWithRegEx(assetPathPrefix + ".*/$").add(factory.notfound()).build());

		final String pattern = ".*\\.((css)|(js)|(jpg)|(jpeg)|(png)|(gif))$";
		final Pattern p = Pattern.compile(pattern);

		configuration.add(factory.createChain(pattern, new PatternMatcher() {
			@Override
			public boolean matches(String ignored, String source) {
				return source.startsWith(assetPathPrefix) && !p.matcher(source).matches();
			}
		}).add(factory.notfound()).build());
	}
}

Now I think there is no point in having this out-of-the-box in tapestry-security.
For documentation purposes I've created a github gist so you can follow my train of thoughts: https://gist.github.com/2831057

Show
Alejandro Scandroli added a comment - Here is one solution: public class AssetProtectionModule { public static void contributeSecurityConfiguration(Configuration<SecurityFilterChain> configuration, @Symbol(SymbolConstants.ASSET_PATH_PREFIX) final String assetPathPrefix, SecurityFilterChainFactory factory) { configuration.add(factory.createChainWithRegEx(assetPathPrefix + ".*/$" ).add(factory.notfound()).build()); final String pattern = ".*\\.((css)|(js)|(jpg)|(jpeg)|(png)|(gif))$" ; final Pattern p = Pattern.compile(pattern); configuration.add(factory.createChain(pattern, new PatternMatcher() { @Override public boolean matches( String ignored, String source) { return source.startsWith(assetPathPrefix) && !p.matcher(source).matches(); } }).add(factory.notfound()).build()); } } Now I think there is no point in having this out-of-the-box in tapestry-security. For documentation purposes I've created a github gist so you can follow my train of thoughts: https://gist.github.com/2831057

People

  • Assignee:
    Alejandro Scandroli
    Reporter:
    Alejandro Scandroli
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: