« Return to Thread: how to prevent direct access to jsf pages?
RE: RE: how to prevent direct access to jsf pages?
by Raymond K. DeCampo
::
Rate this Message:
-----Original Message-----
From: lmk [mailto:lotfi65@...]
Sent: Tuesday, April 22, 2008 03:39
To: users@...
Subject: RE: how to prevent direct access to jsf pages?
> but we can not prevent user to get url like /view_product.jsf, It should be
> available only by FacesServlet..
I don't see the problem here, URLs like /view_product.jsf should be available and do use the FacesServlet (assuming you have done the appropriate mappings of *.jsf to the FacesServlet)
> I put template and pages xhtml on the /WEB-INF/ directory.. I get the error
> below:
Only put files that do NOT correspond to an addressable URL in the /WEB-INF directory. For example, template files or files that are used as includes into other files.
Perhaps it would be clearer if you gave a list of files and their uses along with the desired addressable URLs and non-addressable URLs.
Raymond K. DeCampo wrote:
>
> With Facelets, one can also put XHTML files under the /WEB-INF, if they
> are templates or included files (same restrictions as with JSP
> essentially).
>
> A common trick to use in addition is to use the built in security of J2EE
> prevent direct serving of XHTML files:
>
> <security-constraint>
> <display-name>Restrict XHTML Documents</display-name>
> <web-resource-collection>
> <web-resource-name>XHTML</web-resource-name>
> <url-pattern>*.xhtml</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <description>Only let 'developer's access XHTML
> pages</description>
> <role-name>developer</role-name>
> </auth-constraint>
> </security-constraint>
>
> -----Original Message-----
> From: lmk [mailto:lotfi65@...]
> Sent: Monday, April 21, 2008 11:24
> To: users@...
> Subject: how to prevent direct access to jsf pages?
>
>
>
> Id like to prevent direct access to pages jsf, even the user is allowed
> to
> get the page requested,
> it's possible to allow only pages redirected or forwarded by the
> FacesServlet ?
>
> with only JSF, we can put jsp pages under /WEB-INF/ directory, so it can
> not
> be viewed by user.
>
> JSF can not redirect page under /WEB-INF/ directory, the directory wich
> user has no access...
> with facelets it seems impossible.
> there any solution?
> thanks !
>
> --
> View this message in context:
> http://www.nabble.com/how-to-prevent-direct-access-to-jsf-pages--tp16807991p16807991.html
> Sent from the java.net - facelets users mailing list archive at
> Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@...
> For additional commands, e-mail: users-help@...
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@...
> For additional commands, e-mail: users-help@...
>
>
>
--
View this message in context: http://www.nabble.com/how-to-prevent-direct-access-to-jsf-pages--tp16807991p16823204.html
Sent from the java.net - facelets users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...
From: lmk [mailto:lotfi65@...]
Sent: Tuesday, April 22, 2008 03:39
To: users@...
Subject: RE: how to prevent direct access to jsf pages?
> but we can not prevent user to get url like /view_product.jsf, It should be
> available only by FacesServlet..
I don't see the problem here, URLs like /view_product.jsf should be available and do use the FacesServlet (assuming you have done the appropriate mappings of *.jsf to the FacesServlet)
> I put template and pages xhtml on the /WEB-INF/ directory.. I get the error
> below:
Only put files that do NOT correspond to an addressable URL in the /WEB-INF directory. For example, template files or files that are used as includes into other files.
Perhaps it would be clearer if you gave a list of files and their uses along with the desired addressable URLs and non-addressable URLs.
Raymond K. DeCampo wrote:
>
> With Facelets, one can also put XHTML files under the /WEB-INF, if they
> are templates or included files (same restrictions as with JSP
> essentially).
>
> A common trick to use in addition is to use the built in security of J2EE
> prevent direct serving of XHTML files:
>
> <security-constraint>
> <display-name>Restrict XHTML Documents</display-name>
> <web-resource-collection>
> <web-resource-name>XHTML</web-resource-name>
> <url-pattern>*.xhtml</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <description>Only let 'developer's access XHTML
> pages</description>
> <role-name>developer</role-name>
> </auth-constraint>
> </security-constraint>
>
> -----Original Message-----
> From: lmk [mailto:lotfi65@...]
> Sent: Monday, April 21, 2008 11:24
> To: users@...
> Subject: how to prevent direct access to jsf pages?
>
>
>
> Id like to prevent direct access to pages jsf, even the user is allowed
> to
> get the page requested,
> it's possible to allow only pages redirected or forwarded by the
> FacesServlet ?
>
> with only JSF, we can put jsp pages under /WEB-INF/ directory, so it can
> not
> be viewed by user.
>
> JSF can not redirect page under /WEB-INF/ directory, the directory wich
> user has no access...
> with facelets it seems impossible.
> there any solution?
> thanks !
>
> --
> View this message in context:
> http://www.nabble.com/how-to-prevent-direct-access-to-jsf-pages--tp16807991p16807991.html
> Sent from the java.net - facelets users mailing list archive at
> Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@...
> For additional commands, e-mail: users-help@...
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@...
> For additional commands, e-mail: users-help@...
>
>
>
--
View this message in context: http://www.nabble.com/how-to-prevent-direct-access-to-jsf-pages--tp16807991p16823204.html
Sent from the java.net - facelets users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...
« Return to Thread: how to prevent direct access to jsf pages?
| Free embeddable forum powered by Nabble | Forum Help |
