AW: AW: how to prevent direct access to jsf pages?

>
> Hello,
> forget about /WEB-INF/ directory it might only be useful to prevent users
> to
> serve templates directly.
> You can not put normal pages there: so /accessTest/WEB-INF/index.jsf does
> not make any sense.
>
> If you want to prevent normal users to get a file directly simply put it
> in
> a directory
> /foo/
> and define a security-constraint
>
> <security-constraint>
>          <display-name>Restrict Area</display-name>
>          <web-resource-collection>
>              <web-resource-name>XHTML</web-resource-name>
>             <url-pattern>/foo/* </url-pattern>
>          </web-resource-collection>
>          <auth-constraint>
>              <description> Only let 'developer's access this
> files</description>
>              <role-name>developer</role-name>
>          </auth-constraint>
> </security-constraint>
>
> In some cases container based security will not fit your needs. You can
> use
> a phase listener to implement security by your own.
>
> PS: I have tried to put templates to /WEB-INF/ as Raymond K. DeCampo
> described - but until know I have got only a 404 Status when trying to
> access a file /foo.jsf, that uses a template /WEB-INF/tmpl/bar.xhtml. I am
> wondering if I did something wrong or, that is something that won't work
> at
> all?
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: lmk [mailto:lotfi65@...]
> Gesendet: Dienstag, 22. April 2008 09:39
> An: users@...
> Betreff: RE: how to prevent direct access to jsf pages?
>
>
>
> but we can not prevent user to get url  like /view_product.jsf, It should
> be
> available only by FacesServlet..
> I put template and pages  xhtml on the /WEB-INF/ directory.. I get the
> error
> below:
>
>  /accessTest/WEB-INF/index.jsf
>
> State  HTTP 404 - /accessTest/WEB-INF/index.jsf
>
> message /keybee/accessTest-INF/index.jsf
>
> description the requested ressource  (/accessTest/WEB-INF/index.jsf) is
> not
> available.
>
>
>
>
>
>
> Raymond K. DeCampo wrote:
>>
>> With Facelets, one can also put XHTML files under the /WEB-INF, if they
>> are templates or included files (same restrictions as with JSP
>> essentially).
>>
>> A common trick to use in addition is to use the built in security of J2EE
>> prevent direct serving of XHTML files:
>>
>>     <security-constraint>
>>         <display-name>Restrict XHTML Documents</display-name>
>>         <web-resource-collection>
>>             <web-resource-name>XHTML</web-resource-name>
>>             <url-pattern>*.xhtml</url-pattern>
>>         </web-resource-collection>
>>         <auth-constraint>
>>             <description>Only let 'developer's access XHTML
>> pages</description>
>>             <role-name>developer</role-name>
>>         </auth-constraint>
>>     </security-constraint>
>>
>> -----Original Message-----
>> From: lmk [mailto:lotfi65@...]
>> Sent: Monday, April 21, 2008 11:24
>> To: users@...
>> Subject: how to prevent direct access to jsf pages?
>>
>>
>>
>> Id like to prevent direct access to  pages jsf, even the user is allowed
>> to
>> get the  page requested,
>> it's possible to allow only pages redirected or forwarded by the
>> FacesServlet ?
>>
>> with only JSF, we can put jsp pages under /WEB-INF/ directory, so it can
>> not
>> be  viewed by user.
>>
>> JSF  can not  redirect page under /WEB-INF/ directory,  the directory
>> wich
>> user has no access...
>> with facelets it seems impossible.
>> there any solution?
>> thanks !
>>
>> --
>> View this message in context:
>>
> http://www.nabble.com/how-to-prevent-direct-access-to-jsf-pages--tp16807991p
> 16807991.html
>> Sent from the java.net - facelets users mailing list archive at
>> Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@...
>> For additional commands, e-mail: users-help@...
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@...
>> For additional commands, e-mail: users-help@...
>>
>>
>>
>
> --
> View this message in context:
> http://www.nabble.com/how-to-prevent-direct-access-to-jsf-pages--tp16807991p
> 16823204.html
> Sent from the java.net - facelets users mailing list archive at
> Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@...
> For additional commands, e-mail: users-help@...
>
>
> --
> No virus found in this incoming message.
> Checked by AVG.
> Version: 7.5.524 / Virus Database: 269.23.3/1390 - Release Date:
> 21.04.2008
> 16:23
>
>
> No virus found in this incoming message.
> Checked by AVG.
> Version: 7.5.524 / Virus Database: 269.23.4/1396 - Release Date:
> 24.04.2008
> 18:32
>  
>
> No virus found in this outgoing message.
> Checked by AVG.
> Version: 7.5.524 / Virus Database: 269.23.4/1396 - Release Date:
> 24.04.2008
> 18:32
>  
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@...
> For additional commands, e-mail: users-help@...
>
>
>