tapestry-security based configuration that block access to assets (inspired by T5AssetProtectionDispatcher)

AssetProtectionModule.java

package org.tynamo.security.services;

import org.apache.shiro.util.PatternMatcher;
import org.apache.tapestry5.SymbolConstants;
import org.apache.tapestry5.ioc.Configuration;
import org.apache.tapestry5.ioc.annotations.Symbol;
import org.tynamo.security.services.impl.SecurityFilterChain;

import java.util.regex.Pattern;

public class AssetProtectionModule {

	public static void contributeSecurityConfiguration(Configuration<SecurityFilterChain> configuration,
	                                                   @Symbol(SymbolConstants.ASSET_PATH_PREFIX) final String assetPathPrefix,
	                                                   SecurityFilterChainFactory factory) {

		final String noListingExpression = assetPathPrefix + ".*/$";
		final PatternMatcher noListingPatternMatcher = new PatternMatcherImpl(Pattern.compile(noListingExpression));
		configuration.add(factory.createChain(noListingExpression, noListingPatternMatcher)
				.add(factory.notfound()).build());

		final String pattern = ".*\\.((css)|(js)|(jpg)|(jpeg)|(png)|(gif))$";
		final PatternMatcher patternMatcher = new PatternMatcherImpl(Pattern.compile(pattern));

		configuration.add(factory.createChain(pattern, new PatternMatcher() {
			@Override
			public boolean matches(String ignored, String source) {
				return source.startsWith(assetPathPrefix) && !patternMatcher.matches(ignored, source);
			}
		}).add(factory.notfound()).build());
	}

	static class PatternMatcherImpl implements PatternMatcher {

		private Pattern pattern;

		PatternMatcherImpl(Pattern pattern) {
			this.pattern = pattern;
		}

		@Override
		public boolean matches(String ignored, String source) {
			return pattern.matcher(source).matches();
		}
	}
}