Jsf security url

Question

Jsf security url

When you use JSF, you will have the javax.faces.webapp.FacesServlet controller servlet, which will display as follows:

<servlet-mapping>
   ...
    <url-pattern>/somefacesurl/*</url-pattern>
</servlet-mapping>

Put mypage.xhtml in /, we have a security risk, because it will be available in two ways (starting from the application context): 1) /somefacesurl/mypage.xhtml 2)/mypages.xhtml

The first is processed by jsf and is correct. The second is not processed by jsf and therefore is presented to the client by exposing jsf tags, and this is a security risk.

I found only two solutions
1) mapping always to the root URL:

<servlet-mapping>
   ...
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

A good solution, but only allows matching with the file extension.

2) URL- , , : .xhtml JSF?

JSF 2.0 , .

, , "" xhtml , , .xhtml.

+5

security jsf netbeans url-mapping

AgostinoX 14 . '11 9:07

1

BalusC · Accepted Answer · 2011-06-14T11:08:19+0000

, JSF . 11.1.2 JSF 2.0 ( ) 10.1.2 JSF 1.2. JSF 2.0 spec one ( ):

11.1.2
- URL ( Java Servlet Specification) URL- , - . JSF -, <servlet-mapping> url-pattern FacesServlet. .. , , :
<servlet-mapping>
    <servlet-name> faces-servlet-name </servlet-name>
    <url-pattern>/faces/*</url-pattern>
</servlet-mapping>
, :
<servlet-mapping>
    <servlet-name> faces-servlet-name </servlet-name>
    <url-pattern>*.faces</url-pattern>
</servlet-mapping>
FacesServlet JSF JavaServer Faces , , .

, () "". , JSF. *.xhtml JSF. , , .

. , , - Java, , / . Facelets Java- (, JSP), , . ? , - ? ( , ). , JSF .

, JSF . JSF- 1015 .

Jsf security url

11.1.2

More articles: