如何保护JSF 2.0 Facelets免受直接访问? [英] How do I protect JSF 2.0 facelets against direct access?

问题描述

我在此处找到了一个主意，将文件放在/WEB-INF下是一种阻止直接访问的方法:

I have found one idea here, putting files under /WEB-INF is a way to block direct access:

使用Facelets，还可以将XHTML文件放在/WEB-INF下，如果 它们是模板或包含的文件(与JSP相同的限制 本质上).

With Facelets, one can also put XHTML files under the /WEB-INF, if they are templates or included files (same restrictions as with JSP essentially).

页面还提供了基于Java EE安全性的解决方案，该解决方案仅允许直接XHTML访问特定用户组的成员.

The page also presents a solution based on Java EE security, which allows direct XHTML access only to members of a specific user group.

<security-constraint>
    <display-name>Restrict XHTML Documents</display-name>
    <web-resource-collection>
        <web-resource-name>XHTML</web-resource-name>
        <url-pattern>*.xhtml</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description>Only let 'developer's access XHTML pages</description>
        <role-name>developer</role-name>
    </auth-constraint>
</security-constraint> 

您会推荐这些解决方案之一，还是通常都使用?

Would you recommend one of these solutions, or are both generally used?

推荐答案

将/WEB-INF文件夹中的内容仅适用于模板文件，包括文件和标记文件，这些文件应从不直接访问，独立于URL，也不受有效的映射.

Putting in the /WEB-INF folder is only applicable for template files, include files and tag files which should never be accessed directly and standalone by URL, also not by a valid mapping.

仅当您尚未将FacesServlet映射到*.xhtml时，安全约束才适用于公共文件.例如，如果将其映射到*.jsf上，则可以通过foo.jsf URL打开公共资源，但是只要将扩展名更改为foo.xhtml，就可以检索原始XHTML源代码.这种安全约束可以防止这种情况.

The security constraint is only applicable for public files when you haven't mapped the FacesServlet on *.xhtml. If you have for example mapped it on *.jsf then you can open public resources by foo.jsf URLs, but one could retrieve the raw XHTML source code by just changing the extension to foo.xhtml. That security constraint prevents this.

但是更好的方法是直接将FacesServlet映射到*.xhtml.这样，您就不再需要该安全约束.但是，模板/包含/标记文件仍应放置在/WEB-INF文件夹中.要获得总体思路，您可能会发现 OmniFaces展示项目的来源很有帮助(请参见WEB-INF 此处).

But better is to just map the FacesServlet on *.xhtml directly. This way you don't need that security constraint anymore. However, template/include/tag files should still be placed in /WEB-INF folder. To get the general idea, you may find the source of the OmniFaces showcase project helpful (see WEB-INF here).

• 哪个我需要将XHTML文件放在/WEB-INF中，哪些不需要?
• WEB-INF目录中的JSF文件，我该怎么办访问它们?

• Which XHTML files do I need to put in /WEB-INF and which not?
• JSF files inside WEB-INF directory, how do I access them?

这篇关于如何保护JSF 2.0 Facelets免受直接访问?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！