排除 css &web.xml 安全约束中的图像资源 [英] Exclude css & image resources in web.xml Security Constraint
问题描述
我使用的是 JSF2.1 和 Glassfish 3.1.2.
我指定了一个安全约束来阻止一切:
<web-resource-collection><web-resource-name>安全内容</web-resource-name><!-- 全部屏蔽--><url-pattern>/*</url-pattern></web-resource-collection><!-- 仅允许具有这些角色中的至少一个的用户访问受保护的内容--><身份验证约束><角色名称>管理员</角色名称></auth-constraint></安全约束> 并有另一个允许访问页面子集和资源:
<web-resource-collection><web-resource-name>打开内容</web-resource-name><!-- 允许订阅--><url-pattern>/subscribe/*</url-pattern><url-pattern>/javax.faces.resource/*</url-pattern></web-resource-collection><!-- 没有身份验证限制!--></安全约束> 这很好用.然而,下面是
/javax.faces.resource/* 允许所有资源的正确方法是什么?
我只是通过查看 Facelets 注入 xhtml 的 url 来做到这一点.这种方法是否存在安全漏洞?
谢谢.
必须是ResourceHandler#RESOURCE_IDENTIFIER 常量.另请参阅其 javadoc:><块引用>
RESOURCE_IDENTIFIER
public static final java.lang.String RESOURCE_IDENTIFIER
Resource#getRequestPath 返回此常量的值作为 URI 的前缀.handleResourceRequest(javax.faces.context.FacesContext) 在请求 URI 中查找该常量的值,以确定该请求是资源请求还是视图请求.
另见:
常量字段值 说明如下:
public static final java.lang.String RESOURCE_IDENTIFIER "/javax.faces.resource";因此,您对 URL 模式的看法完全正确.没有安全漏洞,前提是您没有将敏感信息放在由 JSF 资源处理程序处理的公共网页内容的 /resources 文件夹中.
I am using JSF2.1 and Glassfish 3.1.2.
I specify a security constraint to block everything:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured Content</web-resource-name>
<!-- Block all -->
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- only users with at least one of these roles are allowed to access the secured content -->
<auth-constraint>
<role-name>ADMINISTRATOR</role-name>
</auth-constraint>
</security-constraint>
and have another to allow access a subset of pages and the resources:
<security-constraint>
<web-resource-collection>
<web-resource-name>Open Content</web-resource-name>
<!-- Allow subscribe -->
<url-pattern>/subscribe/*</url-pattern>
<url-pattern>/javax.faces.resource/*</url-pattern>
</web-resource-collection>
<!-- No Auth Contraint! -->
</security-constraint>
This works fine. However, is the following
<url-pattern>/javax.faces.resource/*</url-pattern>
the correct way to allow all resources?
I only did this by looking at the url that Facelets injects into the xhtml. Is there security holes with this approach?
Thanks.
It has to be the value of ResourceHandler#RESOURCE_IDENTIFIER constant. See also its javadoc:
RESOURCE_IDENTIFIER
public static final java.lang.String RESOURCE_IDENTIFIER
Resource#getRequestPathreturns the value of this constant as the prefix of the URI.handleResourceRequest(javax.faces.context.FacesContext)looks for the value of this constant within the request URI to determine if the request is a resource request or a view request.See Also:
The constant field values says the following:
public static final java.lang.String RESOURCE_IDENTIFIER "/javax.faces.resource"
So, you're absolutely correct as to the URL pattern. There are no security holes, provided that you don't put sensitive information in /resources folder of the public webcontent which is handled by the JSF resource handler.
这篇关于排除 css &web.xml 安全约束中的图像资源的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
