commit d4e4982f940b47143fc88ffaecfc813e5b34ee32
author Thiago H. de Paula Figueiredo <thiago@arsmachina.com.br> Fri Nov 23 16:44:15 2018 -0200
committer Thiago H. de Paula Figueiredo <thiago@arsmachina.com.br> Fri Nov 23 16:44:15 2018 -0200
tree 24d49236b72b6f73f8076cf1586a2000342a5366
parent ff599ed6ba0ed64ee18e12d964b05cd03a958b4a

TAP5-2601: Add configurable service to block access to classpath assets

tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ClasspathAssetRequestHandler.java

diff --git a/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ClasspathAssetRequestHandler.java b/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ClasspathAssetRequestHandler.java
index b2bdeff..ea92e26 100644
--- a/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ClasspathAssetRequestHandler.java
+++ b/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ClasspathAssetRequestHandler.java
@@ -18,6 +18,7 @@
 import org.apache.tapestry5.ioc.Resource;
 import org.apache.tapestry5.services.AssetSource;
 import org.apache.tapestry5.services.ClasspathAssetAliasManager;
+import org.apache.tapestry5.services.ClasspathAssetProtectionRule;
 import org.apache.tapestry5.services.Request;
 import org.apache.tapestry5.services.Response;
 import org.apache.tapestry5.services.assets.AssetRequestHandler;
@@ -35,23 +36,36 @@
     private final ResourceStreamer streamer;
 
     private final AssetSource assetSource;
-
+    
     private final String baseFolder;
+    
+    private final ClasspathAssetProtectionRule classpathAssetProtectionRule;
 
     public ClasspathAssetRequestHandler(ResourceStreamer streamer,
-                                        AssetSource assetSource, String baseFolder)
+                                        AssetSource assetSource, String baseFolder,
+                                        ClasspathAssetProtectionRule classpathAssetProtectionRule)
     {
         this.streamer = streamer;
         this.assetSource = assetSource;
         this.baseFolder = baseFolder;
+        this.classpathAssetProtectionRule = classpathAssetProtectionRule;
     }
 
     public boolean handleAssetRequest(Request request, Response response, String extraPath) throws IOException
     {
         ChecksumPath path = new ChecksumPath(streamer, baseFolder, extraPath);
-
-        Resource resource = assetSource.resourceForPath(path.resourcePath);
-
-        return path.stream(resource);
+        
+        final boolean handled;
+        if (classpathAssetProtectionRule.block(path.resourcePath)) 
+        {
+            handled = false;
+        }
+        else
+        {
+            Resource resource = assetSource.resourceForPath(path.resourcePath);
+    
+            handled = path.stream(resource);
+        }
+        return handled;
     }
 }