我需要将哪些XHTML文件放入/WEB-INF中，而哪些不需要? [英] Which XHTML files do I need to put in /WEB-INF and which not?

问题描述

这些问题之后:

• https://stackoverflow.com/questions/8589315/jsf2-dynamic-template
• 动态ui:include
• 如何在@WindowScoped上检索对象?
• 我如何检查用@WindowScoped存储的对象是否正确存储?
• ICE Faces和创建错误WindowScoped中的一个bean

• https://stackoverflow.com/questions/8589315/jsf2-dynamic-template
• Dynamic ui:include
• How can I retrieve an object on @WindowScoped?
• How can I check if an object stored with @WindowScoped is stored correctly?
• ICE Faces and error in creation of a bean in WindowScoped

来解决JSF2框架的愚蠢"问题，这是我无法直接链接到/WEB-INF子文件夹中存储的页面的事实.之后，我对Google和Stackoverflow进行了一些研究，我将了解:如何构造JSF2 Web项目?

that I wrote all to resolve a "stupid" issue for the JSF2 framework, the fact that I can't link directly to a page stored in a /WEB-INF subfolder. After that I did some research on Google and Stackoverflow I would know a thing: How do I structure a JSF2 web project?

特别是，我应该将XHTML页面确切放置在什么地方?

In particular, where exactly do I put the XHTML pages?

推荐答案

/WEB-INF文件夹中的文件确实不能由最终用户公开访问.因此，您不能拥有http://localhost:8080/contextname/WEB-INF/some.xhtml之类的东西.这将是一个潜在的安全漏洞，因为最终用户将能够查看/WEB-INF/web.xml等.

Files in /WEB-INF folder are indeed not publicly accessible by enduser. So you cannot have something like http://localhost:8080/contextname/WEB-INF/some.xhtml. That would be a potential security hole as the enduser would be able to view among others /WEB-INF/web.xml and so on.

但是，您可以使用/WEB-INF文件夹放置主模板文件，包括文件和标记文件.例如，以下模板客户端page.xhtml放置在/WEB-INF外部，并且可以通过http://localhost:8080/contextname/page.xhtml访问:

You can however use the /WEB-INF folder to put master template files, include files and tag files in. For example, the following template client page.xhtml which is placed outside /WEB-INF and is accessible by http://localhost:8080/contextname/page.xhtml:

<ui:composition template="/WEB-INF/templates/template.xhtml"
    xmlns="http://www.w3.org/1999/xhtml"
    xmlns:f="http://java.sun.com/jsf/core"
    xmlns:h="http://java.sun.com/jsf/html"
    xmlns:ui="http://java.sun.com/jsf/facelets"
>
    <ui:define name="content">
        ...
        <ui:include src="/WEB-INF/includes/include.xhtml" />
        ...
    </ui:define>
</ui:composition>

将主模板和包含文件放置在/WEB-INF中的优点是，最终用户将无法通过在浏览器地址栏中输入/猜测其URL来直接打开它们.旨在直接访问的普通页面和模板客户端不得放置在/WEB-INF文件夹中.

The advantage of placing master templates and include files in /WEB-INF is that the enduser won't be able to open them directly by entering/guessing its URL in the browser addres bar. The normal pages and template clients which are intented to be accessed directly must not be placed in /WEB-INF folder.

顺便说一句，复合组件文件也不应公开访问，但是根据规范，它们必须放置在默认情况下可公开访问的/resources文件夹中.如果您确保使用所提供的组件来访问所有资源，这样它们就永远不会被URL中的/resources访问(而是被/javax.faces.resource访问)，然后可以在web.xml中添加以下约束，以阻止对/resources文件夹的所有公共访问:

By the way, the composite component files are in turn also not supposed to be publicly accessible, however they are by specification required to be placed in /resources folder which is by default publicly accesible. If you make sure that you access all resources using the therefor provided components so that they are never accessed by /resources in URL (but instead by /javax.faces.resource), then you can add the following constraint to web.xml to block all public access to the /resources folder:

<security-constraint>
    <display-name>Restrict direct access to the /resources folder.</display-name>
    <web-resource-collection>
        <web-resource-name>The /resources folder.</web-resource-name>
        <url-pattern>/resources/*</url-pattern>
    </web-resource-collection>
    <auth-constraint />
</security-constraint> 

这篇关于我需要将哪些XHTML文件放入/WEB-INF中，而哪些不需要?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！