堆栈内存溢出
  简体   繁体   English

如何保护JSF 2.0 facelets免受直接访问?

[英]How do I protect JSF 2.0 facelets against direct access?

 原文  2012-05-13 14:16:38       java/ jsf/ facelets

问题描述

I have found one idea here , putting files under /WEB-INF is a way to block direct access: 我在这里找到了一个想法,将文件放在/ WEB-INF下是一种阻止直接访问的方法:

With Facelets, one can also put XHTML files under the /WEB-INF, if they are templates or included files (same restrictions as with JSP essentially). 使用Facelets,还可以将XHTML文件放在/ WEB-INF下,如果它们是模板或包含文件(基本上与JSP相同的限制)。

The page also presents a solution based on Java EE security, which allows direct XHTML access only to members of a specific user group. 该页面还提供了基于Java EE安全性的解决方案,该解决方案仅允许直接XHTML访问特定用户组的成员。 

<security-constraint>
    <display-name>Restrict XHTML Documents</display-name>
    <web-resource-collection>
        <web-resource-name>XHTML</web-resource-name>
        <url-pattern>*.xhtml</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description>Only let 'developer's access XHTML pages</description>
        <role-name>developer</role-name>
    </auth-constraint>
</security-constraint>

Would you recommend one of these solutions, or are both generally used? 您会推荐其中一种解决方案,还是一般都使用?

2 个解决方案

解决方案1
 12 已采纳  2012-05-13 18:35:35

Putting in the /WEB-INF folder is only applicable for template files, include files and tag files which should never be accessed directly and standalone by URL, also not by a valid mapping. 放入/WEB-INF文件夹仅适用于模板文件,包含文件和标记文件,这些文件永远不能通过URL直接访问和独立访问,也不能通过有效映射访问。

The security constraint is only applicable for public files when you haven't mapped the FacesServlet on *.xhtml . 如果尚未在*.xhtml上映射FacesServlet ,则安全约束仅适用于公共文件。 If you have for example mapped it on *.jsf then you can open public resources by foo.jsf URLs, but one could retrieve the raw XHTML source code by just changing the extension to foo.xhtml . 例如,如果您将其映射到*.jsf则可以通过foo.jsf URL打开公共资源,但只需将扩展名更改为foo.xhtml即可检索原始XHTML源代码。 That security constraint prevents this. 该安全约束阻止了这一点。

But better is to just map the FacesServlet on *.xhtml directly. 但更好的是直接在*.xhtml上映射FacesServlet This way you don't need that security constraint anymore. 这样您就不再需要该安全约束。 However, template/include/tag files should still be placed in /WEB-INF folder. 但是,模板/包含/标记文件仍应放在/WEB-INF文件夹中。 To get the general idea, you may find the source of the OmniFaces showcase project helpful (see WEB-INF here ). 为了得到一般的想法,您可能会发现OmniFaces展示项目的来源很有帮助(请参阅此处的 WEB-INF )。

See also: 也可以看看:

解决方案2
 1  2012-05-13 16:32:10

It is extremely plausible that .xhtml can be placed under and served from the web information folder. 非常合理的是.xhtml可以放在Web信息文件夹下并从Web信息文件夹中提供。

I would instead of relying on decorative programming such as putting rules into web.xml, look into security solution such as JSecurity to provide JAAS for my application. 我不是依靠装饰性编程,例如将规则放入web.xml,而是查看JSecurity等安全解决方案,为我的应用程序提供JAAS。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 你如何从JSF 2.0 Facelets模板调用List.size()? - How do you call List.size() from a JSF 2.0 Facelets Template? JSF 2.0 Facelets模板继承 - JSF 2.0 Facelets template inheritance 如何在Netbeans 6.8中为JSF 1.2中的facelets启用代码完成? - How do I enable code-completion in Netbeans 6.8 for facelets in JSF 1.2? <ui:debug />标记在Facelets中不起作用(JSF 2.0) - <ui:debug/> tag not working in Facelets (JSF 2.0) 将jsf项目转换为facelets 2.0的问题 - Issues with converting a jsf project to facelets 2.0 JSF 2.0 Facelets嵌套模板继承 - JSF 2.0 Facelets nested templates inheritance 如何使Netbeans 6.7识别Facelets中的JSF标签? - How can I make Netbeans 6.7 recognize JSF tags in facelets? 什么是Facelets,它与JSF有什么关系? - What are Facelets and how is it related to JSF? 我可以将Facelets与JSF2.0一起使用-Java EE5中的Richfaces 3.3.3 - Can i use Facelets with JSF2.0 - Richfaces 3.3.3 in Java EE5 如何在JSF 2.0中访问文件css - How to get access to file css in JSF 2.0
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM