在保护servlet应用程序内部视图层模板页面 [英] Protecting internal view layer template pages in servlet applications
问题描述
我有在Java中的MVC Web应用程序的一个非常基本的问题。
I have a very basic question about MVC web applications in Java.
自生的JSP古时直至当前的技术,如煤层,一个非常基本图案一直从最初接受请求以创建输出要被发送到客户端视图层控制器中的内部调度。
Since the olden days of raw JSP up until current technologies like Seam, a very basic pattern has always been the internal dispatch from the controller that initially accepted the request to the view layer that creates the output to be sent to the client.
这内部分派通常做通过询问servlet容器使用URL的新资源(尽管该机制可通过配置额外的一层被隐藏)。这些URL的映射由相同的web.xml也定义了真实的的URL向外部进行。
This internal dispatch is generally done (although the mechanism may be hidden through an extra layer of configuration) by asking the servlet container for a new resource using a URL. The mapping of these URL are done by the same web.xml that also defines the "real" URL to the outside.
除非采取特别的措施,通常可以直接直接访问视图层。见证Seam的登记的演示,在这里你可以绕过register.seam,直接进入registered.xhtml。这是一个潜在的安全问题。最起码,它泄漏视图模板源$ C $ C。
Unless special measures are taken, it is often possible to directly access the view layer directly. Witness the Seam "registration" demo, where you can bypass "register.seam" and directly go to "registered.xhtml". This is a potential security problem. At the very least, it leaks view template source code.
我知道,这只是一个基本的示例应用程序,但它也奇怪,任何额外的措施需要采取申报看不见外面的这些内部资源。
I am aware that this is only a basic sample application, but it is also strange that any extra measures should need to be taken to declare these internal resources invisible to the outside.
什么是限制URL入口点的最简单的方法?
What is the easiest way to restrict URL entry points?
有没有可能像在WEB-INF目录,一个神奇的URL路径组件只能通过内部的请求来访问?
Is there maybe something like the "WEB-INF" directory, a magic URL path component that can only be accessed by internal requests?
推荐答案
我已经看到了几个应用程序,把自己内部的JSP到 WEB-INF / JSP 。这似乎这样的伎俩,至少对于JSP,也为速度。它似乎并没有对JSF工作,虽然。
I have now seen a couple of applications that put their internal JSP into WEB-INF/jsp. That seems to do the trick, at least for JSP, and also for Velocity. It does not seem to work for JSF, though.
这篇关于在保护servlet应用程序内部视图层模板页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
