tapestry-core/src/main/java/org/apache/tapestry5/internal/services/StaticFilesFilter.java - tapestry-5 - Git at Google

 // Copyright 2006, 2007 The Apache Software Foundation
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package org.apache.tapestry5.internal.services;

 import org.apache.tapestry5.internal.InternalConstants;
 import org.apache.tapestry5.services.*;

 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.net.URL;

 /**
  * Identifies requests that are for actual resource files in the context. For those, Tapestry allows the servlet
  * container to process the request.
  */
 public class StaticFilesFilter implements RequestFilter
 {
     private final Context context;

     public StaticFilesFilter(Context context)
     {
         this.context = context;
     }

     public boolean service(Request request, Response response, RequestHandler handler)
             throws IOException
     {
         String path = request.getPath();

         // TAPESTRY-1322: Treat requests from the browser for a favorites icon via the normal
         // servlet even if the file doesn't exist, to keep the request from looking like a
         // component action request.

         if (path.equals("/favicon.ico")) return false;

         // We are making the questionable assumption that all files to be vended out will contain
         // an extension (with a dot separator). Without this, the filter tends to match against
         // folder names when we don't want it to (especially for the root context path).

         int dotx = path.lastIndexOf(".");

         if (dotx > 0)
         {
             URL url = context.getResource(path);

             if (url != null)
             {
                 String suffix = path.substring(dotx + 1);

                 // We never allow access to Tapestry component templates, even if they exist.
                 // It is considered a security risk, like seeing a raw JSP. Earlier alpha versions
                 // of Tapestry required that the templates be stored in WEB-INF.

                 if (suffix.equalsIgnoreCase(InternalConstants.TEMPLATE_EXTENSION))
                 {

                     response.sendError(HttpServletResponse.SC_FORBIDDEN, ServicesMessages
                             .resourcesAccessForbidden(path));

                     return true;
                 }

                 return false;
             }
         }

         return handler.service(request, response);
     }
 }
	// Copyright 2006, 2007 The Apache Software Foundation
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package org.apache.tapestry5.internal.services;

	import org.apache.tapestry5.internal.InternalConstants;
	import org.apache.tapestry5.services.*;

	import javax.servlet.http.HttpServletResponse;
	import java.io.IOException;
	import java.net.URL;

	/**
	* Identifies requests that are for actual resource files in the context. For those, Tapestry allows the servlet
	* container to process the request.
	*/
	public class StaticFilesFilter implements RequestFilter
	{
	private final Context context;

	public StaticFilesFilter(Context context)
	{
	this.context = context;
	}

	public boolean service(Request request, Response response, RequestHandler handler)
	throws IOException
	{
	String path = request.getPath();

	// TAPESTRY-1322: Treat requests from the browser for a favorites icon via the normal
	// servlet even if the file doesn't exist, to keep the request from looking like a
	// component action request.

	if (path.equals("/favicon.ico")) return false;

	// We are making the questionable assumption that all files to be vended out will contain
	// an extension (with a dot separator). Without this, the filter tends to match against
	// folder names when we don't want it to (especially for the root context path).

	int dotx = path.lastIndexOf(".");

	if (dotx > 0)
	{
	URL url = context.getResource(path);

	if (url != null)
	{
	String suffix = path.substring(dotx + 1);

	// We never allow access to Tapestry component templates, even if they exist.
	// It is considered a security risk, like seeing a raw JSP. Earlier alpha versions
	// of Tapestry required that the templates be stored in WEB-INF.

	if (suffix.equalsIgnoreCase(InternalConstants.TEMPLATE_EXTENSION))
	{

	response.sendError(HttpServletResponse.SC_FORBIDDEN, ServicesMessages
	.resourcesAccessForbidden(path));

	return true;
	}

	return false;
	}
	}

	return handler.service(request, response);
	}
	}