wood burning stoves 2.0*
The moose likes JSF and the fly likes hiding pages behind WEB-INF? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Java » JSF
Bookmark "hiding pages behind WEB-INF?" Watch "hiding pages behind WEB-INF?" New topic
Author

hiding pages behind WEB-INF?

J Haley
Ranch Hand

Joined: Jul 22, 2004
Posts: 66
I am using JSF and facelets. I am looking for a way to hide my pages. The Struts equivalent is putting pages under the WEB-INF directory. I can�t figure out how to do this with JSF. Any ideas?
Alex Sotin
Greenhorn

Joined: Dec 19, 2006
Posts: 21
What do you mean by "hide my pages" ? May be you want to hide your code ?


<a href="http://www.planet-java.org" target="_blank" rel="nofollow">Java Planet</a> <br />-- <a href="http://www.java-index.org" target="_blank" rel="nofollow">Java Index</a>
Hung Tang
Ranch Hand

Joined: Feb 14, 2002
Posts: 148
J meant to protect his pages from public access.

What you can do is provide a "gateway" page outside of WEB-INF, and use some forwarding/redirecting/include mechanism in your gateway to access pages in WEB-INF.

Doing this with Facelets should not be too hard.
[ January 10, 2007: Message edited by: Hung Tang ]
J Haley
Ranch Hand

Joined: Jul 22, 2004
Posts: 66
Hung, I'm not clear on this gateway page. Do you have a sample? It almost sounds like this gateway would act as a filter.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42371
    
  64
The basic idea is that you'd have a servlet as a gateway to all JSP pages that you want to protect. Instead of accessing the JSP directly, you'd access the servlet, and pass the name of the JSP you really want to show as a parameter. The servlet can then forward to that JSP (which could be located in WEB-INF, because servlets have access to that).


Ping & DNS - my free Android networking tools app
Hung Tang
Ranch Hand

Joined: Feb 14, 2002
Posts: 148
I'll use Facelets as an example. Below is fragment of what I call a "gateway" page. It uses a template approach and includes template.xhtml, which is hidden behind /WEB-INF. Hope this helps.

James Clinton
Ranch Hand

Joined: Jun 23, 2003
Posts: 190
Gateway or as I'd call it 'View Resolver' can be done if you are using Spring.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16158
    
  21

I think I did a project recently doing this with Facelets.


Customer surveys are for companies who didn't pay proper attention to begin with.
J Haley
Ranch Hand

Joined: Jul 22, 2004
Posts: 66
Ok, I think I got it. Thanks for the help.
Ravi Suda
Greenhorn

Joined: Feb 04, 2007
Posts: 1
Hi J,
I also have the similar problem. I want to keep all the jsp's under WEB-INF. But the navigation is not working.

Navigation is as follows
indes.jsp --> first.jsp --> second.jsp

Here except index.jsp, remaining jsp's are in WEB-INF/jsps folder.

Sample code for faces-config.xml is

<navigation-rule>
<from-view-id>/index.jsp</from-view-id>
<navigation-case>
<from-outcome>success</from-outcome>
<to-view-id>/WEB-INF/jsps/first.jsp</to-view-id>
</navigation-case>
<navigation-rule>
<from-view-id>/WEB-INF/jsps/first.jsp</from-view-id>
<navigation-case>
<from-outcome>success</from-outcome>
<to-view-id>/WEB-INF/jsps/second.jsp</to-view-id>
</navigation-case>

The first navigation rule index.jsp --> first.jsp is working properly, but not the second one. I don't follow gateway/view resolver concept exactly.

We use spring framework along with JSF in our project. would you please give me possible solution for my problem.

Regards
Ravi
J Haley
Ranch Hand

Joined: Jul 22, 2004
Posts: 66
Sorry, I can�t provide an example. I will have a need to do this in an upcoming project, but I have not put an example together yet. This is still on my to do list. If someone else has a working example, I am also interested to see this in action.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16158
    
  21

I'm pretty sure may latest attempt at The Perfect Webapp does, in fact hide the facelets tiles in WEB-INF. Same basic rules apply as when doing it in Struts. As long as whatever is assembling the pages knows how to resolve the component URI's, hidden files are just find.
J Haley
Ranch Hand

Joined: Jul 22, 2004
Posts: 66
I�ve put a example together, but WEB-INF does not seem to hide the pages. For example, after putting my facelets layout page in a subdirectory under WEB-INF, the page will render if the url is typed in. Or otherwise said, I typed in the following url and the layout was displayed.

http://localhost:9080/FaceletsWeb/faces/WEB-INF/pages/layouts/layout.jspx

I�m puzzled. I thought that you could not access pages behind WEB-INF with a browser.
[ February 07, 2007: Message edited by: J Haley ]
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42371
    
  64
http://localhost:9080/FaceletsWeb/faces/WEB-INF/pages/layouts/layout.jspx


The WEB-INF directory in question must be the one that contains the web.xml file; it should be in a directory at the top of the document hierarchy. If it is somewhere below that (as seems to be the case with this URL, since it is two levels deep at /FaceletsWeb/faces) the name and the directory are not considered special, and any documents it contains will be served.
J Haley
Ranch Hand

Joined: Jul 22, 2004
Posts: 66
I only have one WEB-INF directory. �FaceletsWeb� is my context root. And �faces� is my servlet-mapping in web.xml. If I type my url without �faces�, WEB-INF hides my pages, but the problem comes in when I include �faces�.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42371
    
  64
Ah, so the URL doesn't describe a file that is being accessed directly, but instead it instructs the servlet to access that file. As was said before, any server code (the servlet) can access and serve files from anywhere it can get them, including the WEB-INF directory. The URL is actually telling it to do precisely that. And like you said, trying to access to file directly is prohibited. So it sounds to me like all is working as it should.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16158
    
  21

Precisely. As I've been known to point out occasionally, a WEB server is NOT a FILE server. A URL is a resource locator string, not something that has an inherent meaning the way a filesystem path does.

The confusion arrives because A) URLs are normally constructed with a syntax that closely resembles that used by Unix filesystems and because B) the most common way of resolving a resource is for the web server (or web application server) is for it to break the URL into components and use the components as the names of directories and files.

However, in J(2)EE, this default resolution is overridden when you pass the URL to a servlet (or a JSP - which is compiled to produce a servlet, so same difference). The servlet is free to deconstruct a URL in any way it desires, and return any type of data it wishes to. Or, in the case of MVC-style servlet frameworks such as JSF and Struts, to dispatch work to an action process, then bounce the results to a second servlet - the JSF or Struts view JSP. Which view JSP is targeted, of course, determined by the navigation rules and directives defined by the application developer in the struts-config.xml or its JSF equivalent.

If a URL is not routed to a servlet - meaning that it doesn't match any of the routing patterns defined in the webapp's WEB-INF/web.xml resource then the default action kicks in, which is to strip the host and context parts out of the URL and use the rest as a filename path, PROVIDED that the root of said filename path is not /WEB-INF. For those exceptions, the proper response is a 404 error.

Notice I didn't say WEB-INF/web.xml FILE, I said RESOURCE. That's because WARs in their purest forms are in zipfile format, so the WEB-INF/web.xml "file" isn't actually a discrete filesystem object, thus not a file in the literal sense. And within the context of a deployed webserver the same can be said of the WAR itself, but that's another matter.

So, since the appserver client isn't allowed to see WEB-INF or its subordinates via URLs, it's an ideal place to hide things. And, since the components of the webapp can see WEB-INF and its subordinates (as web app resources), they can pull that information out and do anything they want with it, including build up JSPs from it. All that's required is an understanding of how the rules are applied.
J Haley
Ranch Hand

Joined: Jul 22, 2004
Posts: 66
Ok, I get it. I did not have a proper understanding of how this worked. Thanks for clearing this up.

Two more follow ups
1. Sounds like there is no point in hiding faces or facelet templates pages behind WEB-INF since the faces servlet mapping will find them.

2. In JSF, if I have a multi-page wizard. Sounds like I�ll have to create my own logic to prevent the user from accessing the pages out of order. By out of order, I mean prevent them from bypassing page 1 by typing in page 2's url. If I remember correctly with Struts. All I had to do was hid my wizard pages behind WEB-INF
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42371
    
  64
Regarding both questions, I wouldn't say that. I don't know much about JSF, but I assume that there is a way to hook in some code of yours whenever a request goes through the /faces/ URL. In that code you can check which URL is accessed, and then take all required steps to make sure that all accesses are "proper", i.e. not pages you don't want accessed at all, and no pages out of order (by including some sequence ID in the requests).
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: hiding pages behind WEB-INF?