Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.8k views
in Technique[技术] by (71.8m points)

security - Prevent direct access to composite components by placing them inside /WEB-INF

I'm trying to define some composite components in my web application. According to the tutorials i read, i have to place the xhtml files inside a resource folder located in webcontent. This solution is problematic, given that it would make those files available for public access from an url. Is there a way to put this components inside the web-inf folder, and make the jsf look for the files there? If not, is there another way to avoid direct access?

Thanks.

P.S.: I have looked into this answer, and if i understood BalusC's answer correctly, what I intend to do is possible.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

"Composite components" are not exactly the same as "compositions" in the question/answer you found. The OP was clearly talking about compositions as in <ui:include> files which are including <ui:componsition> content.

You effectively want to prevent direct access to /resources. This can be achieved by adding the following security constraint entry to web.xml:

<security-constraint>
    <display-name>Restrict direct access to JSF resources</display-name>
    <web-resource-collection>
        <web-resource-name>JSF resources</web-resource-name>
        <url-pattern>/resources/*</url-pattern>
    </web-resource-collection>
    <auth-constraint /><!-- Empty auth constraint! -->
</security-constraint> 

As per the upcoming JSF 2.2, this would not be necessary anymore as it allows you to move the whole /resources folder into /WEB-INF by the following configuration entry in web.xml:

<context-param>
    <param-name>javax.faces.WEBAPP_RESOURCES_DIRECTORY</param-name>
    <param-value>WEB-INF/resources</param-value> 
</context-param>

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...