#7692 Cannot load static resources in /VAADIN from JARs on GlassFish and some other servers

svn changeset:21445/svn branch:6.6
author: Henri Sara <henri.sara@itmill.com> 2011-09-29 13:06:35 +0000
committer: Henri Sara <henri.sara@itmill.com> 2011-09-29 13:06:35 +0000
commit: 8eec2e8f26887946ec82608969576dccd64eb8f6 (patch)
tree: 487119b7953807f9abf16085cb7bec5afa183fa2 /src/com/vaadin
parent: 68e20d0c8d61d1e77729a07d9bde0aba3dd7de0a (diff)
download: vaadin-framework-8eec2e8f26887946ec82608969576dccd64eb8f6.tar.gz
vaadin-framework-8eec2e8f26887946ec82608969576dccd64eb8f6.zip
1 files changed, 17 insertions, 2 deletions
diff --git a/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java b/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java
index 526e85a8d8..1f880be2a3 100644
--- a/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java
+++ b/src/com/vaadin/terminal/gwt/server/AbstractApplicationServlet.java
@@ -1367,10 +1367,25 @@ public abstract class AbstractApplicationServlet extends HttpServlet implements
                 return false;
             }
             return true;
+        } else if ("file".equals(resourceUrl.getProtocol())) {
+            // Some servers such as GlassFish extract files from JARs. In such
+            // cases, the class loader sees them as file URLs.
+
+            // Check that the URL is in a VAADIN directory and does not contain
+            // "/../"
+            if (!resourceUrl.getPath().contains("/VAADIN/")
+                    || resourceUrl.getPath().contains("/../")) {
+                logger.info("Blocked attempted access to the file : "
+                        + resourceUrl);
+                return false;
+            }
+            logger.fine("Accepting access to a file using a class loader: "
+                    + resourceUrl);
+            return true;
         }
 
-        // when using the class loader fall-back, other protocols than jar: are
-        // not supported
+        // when using the class loader fall-back, other protocols than jar: and
+        // file: are not supported
         return false;
     }
author	Henri Sara <henri.sara@itmill.com>	2011-09-29 13:06:35 +0000
committer	Henri Sara <henri.sara@itmill.com>	2011-09-29 13:06:35 +0000
commit	8eec2e8f26887946ec82608969576dccd64eb8f6 (patch)
tree	487119b7953807f9abf16085cb7bec5afa183fa2 /src/com/vaadin
parent	68e20d0c8d61d1e77729a07d9bde0aba3dd7de0a (diff)
download	vaadin-framework-8eec2e8f26887946ec82608969576dccd64eb8f6.tar.gz vaadin-framework-8eec2e8f26887946ec82608969576dccd64eb8f6.zip