how to prevent direct access to jsf pages?
|
View:
New views
10 Messages
—
Rating Filter:
Alert me
|
 |
how to prevent direct access to jsf pages?
by lmk
::
Rate this Message:
Id like to prevent direct access to pages jsf, even the user is allowed to get the page requested,
it's possible to allow only pages redirected or forwarded by the FacesServlet ? with only JSF, we can put jsp pages under /WEB-INF/ directory, so it can not be viewed by user. JSF can not redirect page under /WEB-INF/ directory, the directory wich user has no access... with facelets it seems impossible. there any solution? thanks ! |
|
|
|
|
|
AW: how to prevent direct access to jsf pages?
by NSchweig
::
Rate this Message:
Hi,
I read sth. about it in the developers doc https://facelets.dev.java.net/nonav/docs/dev/docbook.html#config in point 2.2.2. Is that what you mean? nSchweig -----Ursprüngliche Nachricht----- Von: lmk [mailto:lotfi65@...] Gesendet: Montag, 21. April 2008 17:24 An: users@... Betreff: how to prevent direct access to jsf pages? Id like to prevent direct access to pages jsf, even the user is allowed to get the page requested, it's possible to allow only pages redirected or forwarded by the FacesServlet ? with only JSF, we can put jsp pages under /WEB-INF/ directory, so it can not be viewed by user. JSF can not redirect page under /WEB-INF/ directory, the directory wich user has no access... with facelets it seems impossible. there any solution? thanks ! -- View this message in context: http://www.nabble.com/how-to-prevent-direct-access-to-jsf-pages--tp16807991p 16807991.html Sent from the java.net - facelets users mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
RE: how to prevent direct access to jsf pages?
by lmk
() ::
Rate this Message:
but we can not prevent user to get url like /view_product.jsf, It should be available only by FacesServlet..
I put template and pages xhtml on the /WEB-INF/ directory.. I get the error below: /accessTest/WEB-INF/index.jsf State HTTP 404 - /accessTest/WEB-INF/index.jsf message /keybee/accessTest-INF/index.jsf description the requested ressource (/accessTest/WEB-INF/index.jsf) is not available. |
|
|
|
|
|
RE: RE: how to prevent direct access to jsf pages?
by lmk
() ::
Rate this Message:
Hi Raymond..
I put tempalate file under /WEB-INF- directory.. I have a page index.xhtml, <ui:composition template="/WEB-INF/layout/template.xhtml" xmlns="http://www.w3.org/1999/xhtml" xmlns:ui="http://java.sun.com/jsf/facelets" xmlns:h="http://java.sun.com/jsf/html" xmlns:f="http://java.sun.com/jsf/core" <ui:define name="title">Home</ui:define> <ui:define name="body"> <h:outputText value="Welcome"></h:outputText> </ui:define> </ui:composition> navigation rules is like : <navigation-rule> <from-view-id>/register.xhtml</from-view-id> <navigation-case> <from-outcome>register</from-outcome> <to-view-id>/index.xhtml</to-view-id> <!-- cant put /WEB-INF/index.xhtml--> </navigation-case> </navigation-rule> so user after login he can access to URL /index.jsf himself, I have to restrict navigation only by JSF action. using only myfaces without JSF, I can do this, have I implemete an alternative ResourceResolver.? I hope that is clear :) thanks |
|
|
|
|
|
AW: how to prevent direct access to jsf pages?
by ghadami
::
Rate this Message:
Hello,
forget about /WEB-INF/ directory it might only be useful to prevent users to serve templates directly. You can not put normal pages there: so /accessTest/WEB-INF/index.jsf does not make any sense. If you want to prevent normal users to get a file directly simply put it in a directory /foo/ and define a security-constraint <security-constraint> <display-name>Restrict Area</display-name> <web-resource-collection> <web-resource-name>XHTML</web-resource-name> <url-pattern>/foo/* </url-pattern> </web-resource-collection> <auth-constraint> <description> Only let 'developer's access this files</description> <role-name>developer</role-name> </auth-constraint> </security-constraint> In some cases container based security will not fit your needs. You can use a phase listener to implement security by your own. PS: I have tried to put templates to /WEB-INF/ as Raymond K. DeCampo described - but until know I have got only a 404 Status when trying to access a file /foo.jsf, that uses a template /WEB-INF/tmpl/bar.xhtml. I am wondering if I did something wrong or, that is something that won't work at all? -----Ursprüngliche Nachricht----- Von: lmk [mailto:lotfi65@...] Gesendet: Dienstag, 22. April 2008 09:39 An: users@... Betreff: RE: how to prevent direct access to jsf pages? but we can not prevent user to get url like /view_product.jsf, It should be available only by FacesServlet.. I put template and pages xhtml on the /WEB-INF/ directory.. I get the error below: /accessTest/WEB-INF/index.jsf State HTTP 404 - /accessTest/WEB-INF/index.jsf message /keybee/accessTest-INF/index.jsf description the requested ressource (/accessTest/WEB-INF/index.jsf) is not available. Raymond K. DeCampo wrote: > > With Facelets, one can also put XHTML files under the /WEB-INF, if they > are templates or included files (same restrictions as with JSP > essentially). > > A common trick to use in addition is to use the built in security of J2EE > prevent direct serving of XHTML files: > > <security-constraint> > <display-name>Restrict XHTML Documents</display-name> > <web-resource-collection> > <web-resource-name>XHTML</web-resource-name> > <url-pattern>*.xhtml</url-pattern> > </web-resource-collection> > <auth-constraint> > <description>Only let 'developer's access XHTML > pages</description> > <role-name>developer</role-name> > </auth-constraint> > </security-constraint> > > -----Original Message----- > From: lmk [mailto:lotfi65@...] > Sent: Monday, April 21, 2008 11:24 > To: users@... > Subject: how to prevent direct access to jsf pages? > > > > Id like to prevent direct access to pages jsf, even the user is allowed > to > get the page requested, > it's possible to allow only pages redirected or forwarded by the > FacesServlet ? > > with only JSF, we can put jsp pages under /WEB-INF/ directory, so it can > not > be viewed by user. > > JSF can not redirect page under /WEB-INF/ directory, the directory wich > user has no access... > with facelets it seems impossible. > there any solution? > thanks ! > > -- > View this message in context: > 16807991.html > Sent from the java.net - facelets users mailing list archive at > Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@... > For additional commands, e-mail: users-help@... > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@... > For additional commands, e-mail: users-help@... > > > -- View this message in context: http://www.nabble.com/how-to-prevent-direct-access-to-jsf-pages--tp16807991p 16823204.html Sent from the java.net - facelets users mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... -- No virus found in this incoming message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.23.3/1390 - Release Date: 21.04.2008 16:23 No virus found in this incoming message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.23.4/1396 - Release Date: 24.04.2008 18:32 No virus found in this outgoing message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.23.4/1396 - Release Date: 24.04.2008 18:32 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: AW: how to prevent direct access to jsf pages?
by lmk
::
Rate this Message:
helloo
it's more clear now, can you give me an example to secure access to jsf on the phaseListener? thanks
|
|
|
AW: AW: how to prevent direct access to jsf pages?
by ghadami
::
Rate this Message:
Hello,
This look like a good example: http://jdj.sys-con.com/read/250254_1.htm -----Ursprüngliche Nachricht----- Von: lmk [mailto:lotfi65@...] Gesendet: Montag, 28. April 2008 14:39 An: users@... Betreff: Re: AW: how to prevent direct access to jsf pages? helloo it's more clear now, can you give me an example to secure access to jsf on the phaseListener? thanks Keywan Ghadami wrote: > > Hello, > forget about /WEB-INF/ directory it might only be useful to prevent users > to > serve templates directly. > You can not put normal pages there: so /accessTest/WEB-INF/index.jsf does > not make any sense. > > If you want to prevent normal users to get a file directly simply put it > in > a directory > /foo/ > and define a security-constraint > > <security-constraint> > <display-name>Restrict Area</display-name> > <web-resource-collection> > <web-resource-name>XHTML</web-resource-name> > <url-pattern>/foo/* </url-pattern> > </web-resource-collection> > <auth-constraint> > <description> Only let 'developer's access this > files</description> > <role-name>developer</role-name> > </auth-constraint> > </security-constraint> > > In some cases container based security will not fit your needs. You can > use > a phase listener to implement security by your own. > > PS: I have tried to put templates to /WEB-INF/ as Raymond K. DeCampo > described - but until know I have got only a 404 Status when trying to > access a file /foo.jsf, that uses a template /WEB-INF/tmpl/bar.xhtml. I am > wondering if I did something wrong or, that is something that won't work > at > all? > > > > > -----Ursprüngliche Nachricht----- > Von: lmk [mailto:lotfi65@...] > Gesendet: Dienstag, 22. April 2008 09:39 > An: users@... > Betreff: RE: how to prevent direct access to jsf pages? > > > > but we can not prevent user to get url like /view_product.jsf, It should > be > available only by FacesServlet.. > I put template and pages xhtml on the /WEB-INF/ directory.. I get the > error > below: > > /accessTest/WEB-INF/index.jsf > > State HTTP 404 - /accessTest/WEB-INF/index.jsf > > message /keybee/accessTest-INF/index.jsf > > description the requested ressource (/accessTest/WEB-INF/index.jsf) is > not > available. > > > > > > > Raymond K. DeCampo wrote: >> >> With Facelets, one can also put XHTML files under the /WEB-INF, if they >> are templates or included files (same restrictions as with JSP >> essentially). >> >> A common trick to use in addition is to use the built in security of J2EE >> prevent direct serving of XHTML files: >> >> <security-constraint> >> <display-name>Restrict XHTML Documents</display-name> >> <web-resource-collection> >> <web-resource-name>XHTML</web-resource-name> >> <url-pattern>*.xhtml</url-pattern> >> </web-resource-collection> >> <auth-constraint> >> <description>Only let 'developer's access XHTML >> pages</description> >> <role-name>developer</role-name> >> </auth-constraint> >> </security-constraint> >> >> -----Original Message----- >> From: lmk [mailto:lotfi65@...] >> Sent: Monday, April 21, 2008 11:24 >> To: users@... >> Subject: how to prevent direct access to jsf pages? >> >> >> >> Id like to prevent direct access to pages jsf, even the user is allowed >> to >> get the page requested, >> it's possible to allow only pages redirected or forwarded by the >> FacesServlet ? >> >> with only JSF, we can put jsp pages under /WEB-INF/ directory, so it can >> not >> be viewed by user. >> >> JSF can not redirect page under /WEB-INF/ directory, the directory >> wich >> user has no access... >> with facelets it seems impossible. >> there any solution? >> thanks ! >> >> -- >> View this message in context: >> > http://www.nabble.com/how-to-prevent-direct-access-to-jsf-pages--tp16807991p > 16807991.html >> Sent from the java.net - facelets users mailing list archive at >> Nabble.com. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@... >> For additional commands, e-mail: users-help@... >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@... >> For additional commands, e-mail: users-help@... >> >> >> > > -- > View this message in context: > http://www.nabble.com/how-to-prevent-direct-access-to-jsf-pages--tp16807991p > 16823204.html > Sent from the java.net - facelets users mailing list archive at > Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@... > For additional commands, e-mail: users-help@... > > > -- > No virus found in this incoming message. > Checked by AVG. > Version: 7.5.524 / Virus Database: 269.23.3/1390 - Release Date: > 21.04.2008 > 16:23 > > > No virus found in this incoming message. > Checked by AVG. > Version: 7.5.524 / Virus Database: 269.23.4/1396 - Release Date: > 24.04.2008 > 18:32 > > > No virus found in this outgoing message. > Checked by AVG. > Version: 7.5.524 / Virus Database: 269.23.4/1396 - Release Date: > 24.04.2008 > 18:32 > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@... > For additional commands, e-mail: users-help@... > > > -- View this message in context: http://www.nabble.com/how-to-prevent-direct-access-to-jsf-pages--tp16807991p16937522.html Sent from the java.net - facelets users mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... -- No virus found in this incoming message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.23.6/1402 - Release Date: 28.04.2008 13:29 No virus found in this incoming message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.23.6/1402 - Release Date: 28.04.2008 13:29 No virus found in this outgoing message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.23.6/1402 - Release Date: 28.04.2008 13:29 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
| Free embeddable forum powered by Nabble | Forum Help |
