This week's book giveaway is in the OCPJP forum.
We're giving away four copies of OCA/OCP Java SE 7 Programmer I & II Study Guide and have Kathy Sierra & Bert Bates on-line!
See this thread for details.
The moose likes JSF and the fly likes Restrict raw xhtml files from being typed in the browser directly Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Java » JSF
Bookmark "Restrict raw xhtml files from being typed in the browser directly" Watch "Restrict raw xhtml files from being typed in the browser directly" New topic
Author

Restrict raw xhtml files from being typed in the browser directly

shiva kalyan
Greenhorn

Joined: Jun 11, 2008
Posts: 2
Hi All,
I want to Restrict raw XHTML Documents from being directly accessed
I've added the security-constraint in the web.xml

.
.
.
<security-constraint>
<display-name>Restrict XHTML Documents</display-name>
<web-resource-collection>
<web-resource-name>XHTML</web-resource-name>
<url-pattern>*.xhtml</url-pattern>
</web-resource-collection>
</security-constraint>


But when I gave the following url in my browser
http://localhost:<port no.>/<application>/<page-name>.xhtml

The xhtml page is getting displayed.


All xhtml files are in the root directory

javascript - folder
.
.
*.xhtml - files
.
.
WEB-INF - folder
Venkat Sadasivam
Ranch Hand

Joined: May 10, 2008
Posts: 139
You can write a servlet filter to block all the *.xhtml access.


“Any fool can write code that a computer can understand. Good programmers write code that humans can understand. ”<br>
-Martin Fowler
shiva kalyan
Greenhorn

Joined: Jun 11, 2008
Posts: 2
Thanks Venkat for your reply.

<security-constraint> tag should restrict the url patterns specified,
is something wrong with the way i've specified in web.xml?
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16160
    
  21

Security constraints in web.xml only work if you're using container-based security. That means among other things that you have to have designed the webapp to let the server manage the authentication (login) and authorization processes. Which I recommend, but it's not appropriate in all cases.

The best way to hide the raw .xhtml is to put it underneath the WEB-INF directory. Files and directories inside WEB-INF are effectively invisible to external access.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: Restrict raw xhtml files from being typed in the browser directly