避免直接访问JSF页面的源代码 [英] Avoid direct access to source code of JSF page
问题描述
当我请求/personal/faces/public/login.xhtml
时,它可以正常工作,但是当我请求不带/faces
的/personal/public/login.xhtml
时,我会获得页面的原始源代码.
When I request /personal/faces/public/login.xhtml
, then it works fine, but when I request /personal/public/login.xhtml
without /faces
I obtain the raw source code of the page.
我想避免人们看到该页面的源代码.我该如何实现?
I would like to avoid that people could see the source code of the page. How can I achieve this?
推荐答案
发生这种情况是因为您在web.xml的FacesServlet
配置中指定了/faces/*
.结果,任何请求的与指定的url模式不匹配的文件都将作为带有GET
请求的常规文件.
将该配置更改为以下内容,以确保所有与JSF相关的请求都通过FacesServlet:
This is happening because you've specified /faces/*
in your FacesServlet
configuration in the web.xml. As a result, any file requested that does not match the specified url pattern will be served as a regular file with a GET
request
Change that config to the following to ensure all JSF related requests go through the FacesServlet:
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
这可确保在返回客户端之前,将处理所有具有.xhtml扩展名的文件.
This ensures all files with .xhtml extension will be processed before returning to the client.
尽管上述解决方案可以解决当前的问题,但您遇到的问题却指向更深层次的安全问题.它指示具有浏览器的任何人都可以从Web应用程序部署以及文件系统其他部分中请求并下载工件.这是您需要研究的安全漏洞.选项取决于您的App服务器
While the above solution may solve the immediate problem, what you're experiencing points to a deeper security issue. It indicates that anyone with a browser can request and download artifacts from your web application deployment and possibly other parts of your filesystem. This is a security hole you will need to look into. The options vary depending on your App server
这篇关于避免直接访问JSF页面的源代码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!