Geek Answers Handbook

How to protect JSF 2.0 limits from direct access?

I found one idea here , placing files under / WEB -INF is a way to block direct access:

With Facelets, you can also put XHTML files in / WEB -INF if they are templates or included files (the same limitations as in the JSP in essence).

The page also presents a Java EE security-based solution that provides XHTML direct access only to members of a specific user group.

<security-constraint> <display-name>Restrict XHTML Documents</display-name> <web-resource-collection> <web-resource-name>XHTML</web-resource-name> <url-pattern>*.xhtml</url-pattern> </web-resource-collection> <auth-constraint> <description>Only let 'developer access XHTML pages</description> <role-name>developer</role-name> </auth-constraint> </security-constraint>

Would you recommend one of these solutions or are both commonly used?

+7
source share
3 answers

The insert in the /WEB-INF folder is applicable only to template files, includes files and tags that should be able to be accessed never directly and autonomously by URL, as well as not a valid mapping.

The security restriction applies only to public files if you did not map FacesServlet to *.xhtml . If you, for example, map it to *.jsf , you can open public resources with foo.jsf URLs, but you can get the original XHTML source code by simply changing the extension to foo.xhtml . This security restriction prevents this.

But it's best to just map FacesServlet on *.xhtml . Thus, you no longer need this security restriction. However, the / include / tag template files should still be placed in the /WEB-INF folder. To get a general idea, you can find the source OmniFaces showcase project source useful (see WEB-INF here ).

See also:

+12
source

How about when you put templates in a jar (META-INF / resources). Is it possible to protect against their direct access, how do you do this, if the templates are placed in WEB-INF?

+2
source

It is extremely plausible that .xhtml can be placed in a web information folder and maintained.

Instead of relying on decorative programming, for example, to introduce rules in web.xml, I would look for a security solution, such as JSecurity, to provide JAAS for my application.

+1
source

More articles:


All Articles