public boolean service(Request request, Response response, RequestHandler handler)
throws IOException {
String path = request.getPath();
// TAPESTRY-1322: Treat requests from the browser for a favorites icon
// via the normal
// servlet even if the file doesn't exist, to keep the request from
// looking like a
// component action request.
if (path.equals("/favicon.ico")) return false;
// TAPESTRY-2606: A colon in the path is frequently the case for
// Tapestry event URLs,
// but gives Windows fits.
if (!path.contains(":")) {
// We are making the questionable assumption that all files to be
// vended out will contain
// an extension (with a dot separator). Without this, the filter
// tends to match against
// folder names when we don't want it to (especially for the root
// context path).
int dotx = path.lastIndexOf(".");
if (dotx > 0) {
URL url = context.getResource(path);
if (url != null) {
String suffix = path.substring(dotx + 1);
// We never allow access to Tapestry component templates,
// even if they exist.
// It is considered a security risk, like seeing a raw JSP.
// Earlier alpha versions
// of Tapestry required that the templates be stored in
// WEB-INF.
if (suffix.equalsIgnoreCase(CornerConstants.HTML_TEMPLATE_EXTENSION)) {
response.sendError(
HttpServletResponse.SC_FORBIDDEN, ServicesMessages.resourcesAccessForbidden(path));
return true;
}
return false;
}
}
}
return handler.service(request, response);
}
public boolean service(Request request, Response response, RequestHandler handler)
throws IOException {
response.setHeader(AUTO_LOGOUT, "logout"); // Path/Page or full URI (https://site/logout)
return handler.service(request, response);
}