Two Laptop Bag*
The moose likes JSF and the fly likes Restrict raw xhtml files from being typed in the browser directly Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Java » JSF
Bookmark "Restrict raw xhtml files from being typed in the browser directly" Watch "Restrict raw xhtml files from being typed in the browser directly" New topic
Author

Restrict raw xhtml files from being typed in the browser directly

shiva kalyan
Greenhorn

Joined: Jun 11, 2008
Posts: 2
Hi All,
I want to Restrict raw XHTML Documents from being directly accessed
I've added the security-constraint in the web.xml

.
.
.
<security-constraint>
<display-name>Restrict XHTML Documents</display-name>
<web-resource-collection>
<web-resource-name>XHTML</web-resource-name>
<url-pattern>*.xhtml</url-pattern>
</web-resource-collection>
</security-constraint>


But when I gave the following url in my browser
http://localhost:<port no.>/<application>/<page-name>.xhtml

The xhtml page is getting displayed.


All xhtml files are in the root directory

javascript - folder
.
.
*.xhtml - files
.
.
WEB-INF - folder
Venkat Sadasivam
Ranch Hand

Joined: May 10, 2008
Posts: 139
You can write a servlet filter to block all the *.xhtml access.


“Any fool can write code that a computer can understand. Good programmers write code that humans can understand. ”<br>
-Martin Fowler
shiva kalyan
Greenhorn

Joined: Jun 11, 2008
Posts: 2
Thanks Venkat for your reply.

<security-constraint> tag should restrict the url patterns specified,
is something wrong with the way i've specified in web.xml?
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15665
    
  15

Security constraints in web.xml only work if you're using container-based security. That means among other things that you have to have designed the webapp to let the server manage the authentication (login) and authorization processes. Which I recommend, but it's not appropriate in all cases.

The best way to hide the raw .xhtml is to put it underneath the WEB-INF directory. Files and directories inside WEB-INF are effectively invisible to external access.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Restrict raw xhtml files from being typed in the browser directly
 
Similar Threads
home page downloads as a file using ssl
Blocking jsp
Having serious trouble configuring Authorization
HttpServletRequest - RequestDispatcher - Forward - is not using Constraint
Blocking direct access to xhtmls