[英]How do I protect JSF 2.0 facelets against direct access?
I have found one idea here , putting files under /WEB-INF is a way to block direct access: 我在这里找到了一个想法,将文件放在/ WEB-INF下是一种阻止直接访问的方法:
With Facelets, one can also put XHTML files under the /WEB-INF, if they are templates or included files (same restrictions as with JSP essentially).
使用Facelets,还可以将XHTML文件放在/ WEB-INF下,如果它们是模板或包含文件(基本上与JSP相同的限制)。
The page also presents a solution based on Java EE security, which allows direct XHTML access only to members of a specific user group. 该页面还提供了基于Java EE安全性的解决方案,该解决方案仅允许直接XHTML访问特定用户组的成员。
<security-constraint>
<display-name>Restrict XHTML Documents</display-name>
<web-resource-collection>
<web-resource-name>XHTML</web-resource-name>
<url-pattern>*.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Only let 'developer's access XHTML pages</description>
<role-name>developer</role-name>
</auth-constraint>
</security-constraint>
Would you recommend one of these solutions, or are both generally used? 您会推荐其中一种解决方案,还是一般都使用?
Putting in the /WEB-INF
folder is only applicable for template files, include files and tag files which should never be accessed directly and standalone by URL, also not by a valid mapping. 放入
/WEB-INF
文件夹仅适用于模板文件,包含文件和标记文件,这些文件永远不能通过URL直接访问和独立访问,也不能通过有效映射访问。
The security constraint is only applicable for public files when you haven't mapped the FacesServlet
on *.xhtml
. 如果尚未在
*.xhtml
上映射FacesServlet
,则安全约束仅适用于公共文件。 If you have for example mapped it on *.jsf
then you can open public resources by foo.jsf
URLs, but one could retrieve the raw XHTML source code by just changing the extension to foo.xhtml
. 例如,如果您将其映射到
*.jsf
则可以通过foo.jsf
URL打开公共资源,但只需将扩展名更改为foo.xhtml
即可检索原始XHTML源代码。 That security constraint prevents this. 该安全约束阻止了这一点。
But better is to just map the FacesServlet
on *.xhtml
directly. 但更好的是直接在
*.xhtml
上映射FacesServlet
。 This way you don't need that security constraint anymore. 这样您就不再需要该安全约束。 However, template/include/tag files should still be placed in
/WEB-INF
folder. 但是,模板/包含/标记文件仍应放在
/WEB-INF
文件夹中。 To get the general idea, you may find the source of the OmniFaces showcase project helpful (see WEB-INF
here ). 为了得到一般的想法,您可能会发现OmniFaces展示项目的来源很有帮助(请参阅此处的
WEB-INF
)。
It is extremely plausible that .xhtml can be placed under and served from the web information folder. 非常合理的是.xhtml可以放在Web信息文件夹下并从Web信息文件夹中提供。
I would instead of relying on decorative programming such as putting rules into web.xml, look into security solution such as JSecurity to provide JAAS for my application. 我不是依靠装饰性编程,例如将规则放入web.xml,而是查看JSecurity等安全解决方案,为我的应用程序提供JAAS。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.