避免直接访问JSF页面的源代码 [英] Avoid direct access to source code of JSF page

问题描述

当我请求/personal/faces/public/login.xhtml时，它可以正常工作，但是当我请求不带/faces的/personal/public/login.xhtml时，我会获得页面的原始源代码.

When I request /personal/faces/public/login.xhtml, then it works fine, but when I request /personal/public/login.xhtml without /faces I obtain the raw source code of the page.

我想避免人们看到该页面的源代码.我该如何实现?

I would like to avoid that people could see the source code of the page. How can I achieve this?

推荐答案

发生这种情况是因为您在web.xml的FacesServlet配置中指定了/faces/*.结果，任何请求的与指定的url模式不匹配的文件都将作为带有GET请求的常规文件. 将该配置更改为以下内容，以确保所有与JSF相关的请求都通过FacesServlet:

This is happening because you've specified /faces/* in your FacesServlet configuration in the web.xml. As a result, any file requested that does not match the specified url pattern will be served as a regular file with a GET request Change that config to the following to ensure all JSF related requests go through the FacesServlet:

   <servlet-mapping>
       <servlet-name>Faces Servlet</servlet-name>
       <url-pattern>*.xhtml</url-pattern>
    </servlet-mapping>

这可确保在返回客户端之前，将处理所有具有.xhtml扩展名的文件.

This ensures all files with .xhtml extension will be processed before returning to the client.

尽管上述解决方案可以解决当前的问题，但您遇到的问题却指向更深层次的安全问题.它指示具有浏览器的任何人都可以从Web应用程序部署以及文件系统其他部分中请求并下载工件.这是您需要研究的安全漏洞.选项取决于您的App服务器

While the above solution may solve the immediate problem, what you're experiencing points to a deeper security issue. It indicates that anyone with a browser can request and download artifacts from your web application deployment and possibly other parts of your filesystem. This is a security hole you will need to look into. The options vary depending on your App server

这篇关于避免直接访问JSF页面的源代码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！