« Return to Thread: how to prevent direct access to jsf pages?
AW: how to prevent direct access to jsf pages?
by ghadami
::
Rate this Message:
Hello,
forget about /WEB-INF/ directory it might only be useful to prevent users to
serve templates directly.
You can not put normal pages there: so /accessTest/WEB-INF/index.jsf does
not make any sense.
If you want to prevent normal users to get a file directly simply put it in
a directory
/foo/
and define a security-constraint
<security-constraint>
<display-name>Restrict Area</display-name>
<web-resource-collection>
<web-resource-name>XHTML</web-resource-name>
<url-pattern>/foo/* </url-pattern>
</web-resource-collection>
<auth-constraint>
<description> Only let 'developer's access this
files</description>
<role-name>developer</role-name>
</auth-constraint>
</security-constraint>
In some cases container based security will not fit your needs. You can use
a phase listener to implement security by your own.
PS: I have tried to put templates to /WEB-INF/ as Raymond K. DeCampo
described - but until know I have got only a 404 Status when trying to
access a file /foo.jsf, that uses a template /WEB-INF/tmpl/bar.xhtml. I am
wondering if I did something wrong or, that is something that won't work at
all?
-----Ursprüngliche Nachricht-----
Von: lmk [mailto:lotfi65@...]
Gesendet: Dienstag, 22. April 2008 09:39
An: users@...
Betreff: RE: how to prevent direct access to jsf pages?
but we can not prevent user to get url like /view_product.jsf, It should be
available only by FacesServlet..
I put template and pages xhtml on the /WEB-INF/ directory.. I get the error
below:
/accessTest/WEB-INF/index.jsf
State HTTP 404 - /accessTest/WEB-INF/index.jsf
message /keybee/accessTest-INF/index.jsf
description the requested ressource (/accessTest/WEB-INF/index.jsf) is not
available.
Raymond K. DeCampo wrote:
>
> With Facelets, one can also put XHTML files under the /WEB-INF, if they
> are templates or included files (same restrictions as with JSP
> essentially).
>
> A common trick to use in addition is to use the built in security of J2EE
> prevent direct serving of XHTML files:
>
> <security-constraint>
> <display-name>Restrict XHTML Documents</display-name>
> <web-resource-collection>
> <web-resource-name>XHTML</web-resource-name>
> <url-pattern>*.xhtml</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <description>Only let 'developer's access XHTML
> pages</description>
> <role-name>developer</role-name>
> </auth-constraint>
> </security-constraint>
>
> -----Original Message-----
> From: lmk [mailto:lotfi65@...]
> Sent: Monday, April 21, 2008 11:24
> To: users@...
> Subject: how to prevent direct access to jsf pages?
>
>
>
> Id like to prevent direct access to pages jsf, even the user is allowed
> to
> get the page requested,
> it's possible to allow only pages redirected or forwarded by the
> FacesServlet ?
>
> with only JSF, we can put jsp pages under /WEB-INF/ directory, so it can
> not
> be viewed by user.
>
> JSF can not redirect page under /WEB-INF/ directory, the directory wich
> user has no access...
> with facelets it seems impossible.
> there any solution?
> thanks !
>
> --
> View this message in context:
>http://www.nabble.com/how-to-prevent-direct-access-to-jsf-pages--tp16807991p
16807991.html
> Sent from the java.net - facelets users mailing list archive at
> Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@...
> For additional commands, e-mail: users-help@...
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@...
> For additional commands, e-mail: users-help@...
>
>
>
--
View this message in context:
http://www.nabble.com/how-to-prevent-direct-access-to-jsf-pages--tp16807991p
16823204.html
Sent from the java.net - facelets users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...
--
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.3/1390 - Release Date: 21.04.2008
16:23
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.4/1396 - Release Date: 24.04.2008
18:32
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.4/1396 - Release Date: 24.04.2008
18:32
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...
forget about /WEB-INF/ directory it might only be useful to prevent users to
serve templates directly.
You can not put normal pages there: so /accessTest/WEB-INF/index.jsf does
not make any sense.
If you want to prevent normal users to get a file directly simply put it in
a directory
/foo/
and define a security-constraint
<security-constraint>
<display-name>Restrict Area</display-name>
<web-resource-collection>
<web-resource-name>XHTML</web-resource-name>
<url-pattern>/foo/* </url-pattern>
</web-resource-collection>
<auth-constraint>
<description> Only let 'developer's access this
files</description>
<role-name>developer</role-name>
</auth-constraint>
</security-constraint>
In some cases container based security will not fit your needs. You can use
a phase listener to implement security by your own.
PS: I have tried to put templates to /WEB-INF/ as Raymond K. DeCampo
described - but until know I have got only a 404 Status when trying to
access a file /foo.jsf, that uses a template /WEB-INF/tmpl/bar.xhtml. I am
wondering if I did something wrong or, that is something that won't work at
all?
-----Ursprüngliche Nachricht-----
Von: lmk [mailto:lotfi65@...]
Gesendet: Dienstag, 22. April 2008 09:39
An: users@...
Betreff: RE: how to prevent direct access to jsf pages?
but we can not prevent user to get url like /view_product.jsf, It should be
available only by FacesServlet..
I put template and pages xhtml on the /WEB-INF/ directory.. I get the error
below:
/accessTest/WEB-INF/index.jsf
State HTTP 404 - /accessTest/WEB-INF/index.jsf
message /keybee/accessTest-INF/index.jsf
description the requested ressource (/accessTest/WEB-INF/index.jsf) is not
available.
Raymond K. DeCampo wrote:
>
> With Facelets, one can also put XHTML files under the /WEB-INF, if they
> are templates or included files (same restrictions as with JSP
> essentially).
>
> A common trick to use in addition is to use the built in security of J2EE
> prevent direct serving of XHTML files:
>
> <security-constraint>
> <display-name>Restrict XHTML Documents</display-name>
> <web-resource-collection>
> <web-resource-name>XHTML</web-resource-name>
> <url-pattern>*.xhtml</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <description>Only let 'developer's access XHTML
> pages</description>
> <role-name>developer</role-name>
> </auth-constraint>
> </security-constraint>
>
> -----Original Message-----
> From: lmk [mailto:lotfi65@...]
> Sent: Monday, April 21, 2008 11:24
> To: users@...
> Subject: how to prevent direct access to jsf pages?
>
>
>
> Id like to prevent direct access to pages jsf, even the user is allowed
> to
> get the page requested,
> it's possible to allow only pages redirected or forwarded by the
> FacesServlet ?
>
> with only JSF, we can put jsp pages under /WEB-INF/ directory, so it can
> not
> be viewed by user.
>
> JSF can not redirect page under /WEB-INF/ directory, the directory wich
> user has no access...
> with facelets it seems impossible.
> there any solution?
> thanks !
>
> --
> View this message in context:
>
16807991.html
> Sent from the java.net - facelets users mailing list archive at
> Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@...
> For additional commands, e-mail: users-help@...
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@...
> For additional commands, e-mail: users-help@...
>
>
>
--
View this message in context:
http://www.nabble.com/how-to-prevent-direct-access-to-jsf-pages--tp16807991p
16823204.html
Sent from the java.net - facelets users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...
--
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.3/1390 - Release Date: 21.04.2008
16:23
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.4/1396 - Release Date: 24.04.2008
18:32
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.4/1396 - Release Date: 24.04.2008
18:32
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...
« Return to Thread: how to prevent direct access to jsf pages?
| Free embeddable forum powered by Nabble | Forum Help |
