如何保护JSF 2.0 Facelets免受直接访问? [英] How do I protect JSF 2.0 facelets against direct access?
问题描述
我在此处找到了一个主意,将文件放在/WEB-INF下是一种阻止直接访问的方法:
I have found one idea here, putting files under /WEB-INF is a way to block direct access:
使用Facelets,还可以将XHTML文件放在/WEB-INF下,如果 它们是模板或包含的文件(与JSP相同的限制 本质上).
With Facelets, one can also put XHTML files under the /WEB-INF, if they are templates or included files (same restrictions as with JSP essentially).
页面还提供了基于Java EE安全性的解决方案,该解决方案仅允许直接XHTML访问特定用户组的成员.
The page also presents a solution based on Java EE security, which allows direct XHTML access only to members of a specific user group.
<security-constraint>
<display-name>Restrict XHTML Documents</display-name>
<web-resource-collection>
<web-resource-name>XHTML</web-resource-name>
<url-pattern>*.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Only let 'developer's access XHTML pages</description>
<role-name>developer</role-name>
</auth-constraint>
</security-constraint>
您会推荐这些解决方案之一,还是通常都使用?
Would you recommend one of these solutions, or are both generally used?
推荐答案
将/WEB-INF
文件夹中的内容仅适用于模板文件,包括文件和标记文件,这些文件应从不直接访问,独立于URL,也不受有效的映射.
Putting in the /WEB-INF
folder is only applicable for template files, include files and tag files which should never be accessed directly and standalone by URL, also not by a valid mapping.
仅当您尚未将FacesServlet
映射到*.xhtml
时,安全约束才适用于公共文件.例如,如果将其映射到*.jsf
上,则可以通过foo.jsf
URL打开公共资源,但是只要将扩展名更改为foo.xhtml
,就可以检索原始XHTML源代码.这种安全约束可以防止这种情况.
The security constraint is only applicable for public files when you haven't mapped the FacesServlet
on *.xhtml
. If you have for example mapped it on *.jsf
then you can open public resources by foo.jsf
URLs, but one could retrieve the raw XHTML source code by just changing the extension to foo.xhtml
. That security constraint prevents this.
但是更好的方法是直接将FacesServlet
映射到*.xhtml
.这样,您就不再需要该安全约束.但是,模板/包含/标记文件仍应放置在/WEB-INF
文件夹中.要获得总体思路,您可能会发现 OmniFaces展示项目的来源很有帮助(请参见WEB-INF
此处).
But better is to just map the FacesServlet
on *.xhtml
directly. This way you don't need that security constraint anymore. However, template/include/tag files should still be placed in /WEB-INF
folder. To get the general idea, you may find the source of the OmniFaces showcase project helpful (see WEB-INF
here).
- Which XHTML files do I need to put in /WEB-INF and which not?
- JSF files inside WEB-INF directory, how do I access them?
这篇关于如何保护JSF 2.0 Facelets免受直接访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!