排除css& web.xml中的图像资源安全约束 [英] Exclude css & image resources in web.xml Security Constraint
问题描述
我正在使用JSF2.1和Glassfish 3.1.2。
我指定了一个安全约束来阻止所有内容:
< security-constraint>
< web-resource-collection>
< web-resource-name>安全内容< / web-resource-name>
<! - 全部阻止 - >
< url-pattern> / *< / url-pattern>
< / web-resource-collection>
<! - 只允许具有至少一个这些角色的用户访问受保护的内容 - >
< auth-constraint>
< role-name> ADMINISTRATOR< / role-name>
< / auth-constraint>
< / security-constraint>
并有另一个允许访问页面子集和资源:
< security-constraint>
< web-resource-collection>
< web-resource-name>打开内容< / web-resource-name>
<! - 允许订阅 - >
< url-pattern> / subscribe / *< / url-pattern>
< url-pattern> /javax.faces.resource / *< / url-pattern>
< / web-resource-collection>
<! - No Auth Contraint! - >
< / security-constraint>
这很好用。但是,以下是
< url-pattern> /javax.faces.resource / *< / url-pattern>
允许所有资源的正确方式?
<我只是通过查看Facelets注入xhtml的url来做到这一点。这种方法有安全漏洞吗?
谢谢。
它必须是 <$ c $的价值。 c> ResourceHandler#RESOURCE_IDENTIFIER 常量。另见 javadoc :
RESOURCE_IDENTIFIER
public static final java.lang.String RESOURCE_IDENTIFIER
Resource#getRequestPath
返回此常量的值作为URI的前缀。handleResourceRequest(javax.faces.context.FacesContext)
在请求URI中查找此常量的值,以确定请求是资源请求还是查看请求。
参见:
常量字段值表示如下:
public static final java.lang。字符串RESOURCE_IDENTIFIER/javax.faces.resource
所以,你对URL模式绝对正确。没有安全漏洞,前提是您没有将敏感信息放在由JSF资源处理程序处理的公共webcontent的 / resources
文件夹中。
I am using JSF2.1 and Glassfish 3.1.2.
I specify a security constraint to block everything:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured Content</web-resource-name>
<!-- Block all -->
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- only users with at least one of these roles are allowed to access the secured content -->
<auth-constraint>
<role-name>ADMINISTRATOR</role-name>
</auth-constraint>
</security-constraint>
and have another to allow access a subset of pages and the resources:
<security-constraint>
<web-resource-collection>
<web-resource-name>Open Content</web-resource-name>
<!-- Allow subscribe -->
<url-pattern>/subscribe/*</url-pattern>
<url-pattern>/javax.faces.resource/*</url-pattern>
</web-resource-collection>
<!-- No Auth Contraint! -->
</security-constraint>
This works fine. However, is the following
<url-pattern>/javax.faces.resource/*</url-pattern>
the correct way to allow all resources?
I only did this by looking at the url that Facelets injects into the xhtml. Is there security holes with this approach?
Thanks.
It has to be the value of ResourceHandler#RESOURCE_IDENTIFIER
constant. See also its javadoc:
RESOURCE_IDENTIFIER
public static final java.lang.String RESOURCE_IDENTIFIER
Resource#getRequestPath
returns the value of this constant as the prefix of the URI.handleResourceRequest(javax.faces.context.FacesContext)
looks for the value of this constant within the request URI to determine if the request is a resource request or a view request.See Also:
The constant field values says the following:
public static final java.lang.String RESOURCE_IDENTIFIER "/javax.faces.resource"
So, you're absolutely correct as to the URL pattern. There are no security holes, provided that you don't put sensitive information in /resources
folder of the public webcontent which is handled by the JSF resource handler.
这篇关于排除css& web.xml中的图像资源安全约束的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!