保护 servlet 应用程序中的内部视图层模板页面 [英] Protecting internal view layer template pages in servlet applications
问题描述
我有一个关于 Java 中的 MVC Web 应用程序的非常基本的问题.
I have a very basic question about MVC web applications in Java.
从原始 JSP 的旧时代到像 Seam 这样的当前技术,一个非常基本的模式一直是从最初接受请求的控制器到视图层的内部分派,视图层创建要发送到客户端的输出.
Since the olden days of raw JSP up until current technologies like Seam, a very basic pattern has always been the internal dispatch from the controller that initially accepted the request to the view layer that creates the output to be sent to the client.
这种内部调度通常是通过使用 URL 向 servlet 容器请求新资源来完成的(尽管该机制可能会通过额外的配置层隐藏).这些 URL 的映射是由同一个 web.xml 完成的,该 web.xml 也定义了到外部的真实"URL.
This internal dispatch is generally done (although the mechanism may be hidden through an extra layer of configuration) by asking the servlet container for a new resource using a URL. The mapping of these URL are done by the same web.xml that also defines the "real" URL to the outside.
除非采取特殊措施,通常可以直接访问视图层.见证Seam注册"演示,您可以绕过register.seam"直接进入registered.xhtml".这是一个潜在的安全问题.至少,它泄露了视图模板源代码.
Unless special measures are taken, it is often possible to directly access the view layer directly. Witness the Seam "registration" demo, where you can bypass "register.seam" and directly go to "registered.xhtml". This is a potential security problem. At the very least, it leaks view template source code.
我知道这只是一个基本的示例应用程序,但奇怪的是需要采取任何额外的措施来声明这些内部资源对外部不可见.
I am aware that this is only a basic sample application, but it is also strange that any extra measures should need to be taken to declare these internal resources invisible to the outside.
限制 URL 入口点的最简单方法是什么?
What is the easiest way to restrict URL entry points?
是否有类似WEB-INF"目录,一个只能被内部请求访问的神奇 URL 路径组件?
Is there maybe something like the "WEB-INF" directory, a magic URL path component that can only be accessed by internal requests?
推荐答案
我现在看到了一些将其内部 JSP 放入 WEB-INF/jsp 的应用程序.这似乎可以解决问题,至少对于 JSP 和 Velocity.它似乎不适用于 JSF,不过.
I have now seen a couple of applications that put their internal JSP into WEB-INF/jsp. That seems to do the trick, at least for JSP, and also for Velocity. It does not seem to work for JSF, though.
这篇关于保护 servlet 应用程序中的内部视图层模板页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
