wood burning stoves*
The moose likes JSF and the fly likes JSF 2.0: how to protect jsf sources with javax.faces.RESOURCE_EXCLUDES ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSF
Bookmark "JSF 2.0: how to protect jsf sources with javax.faces.RESOURCE_EXCLUDES ?" Watch "JSF 2.0: how to protect jsf sources with javax.faces.RESOURCE_EXCLUDES ?" New topic
Author

JSF 2.0: how to protect jsf sources with javax.faces.RESOURCE_EXCLUDES ?

Pasquale Imbemba
Greenhorn

Joined: Feb 08, 2012
Posts: 5

Hello,

inside web.xml, I should be able to protect jsf sources from access using


(to be honest I'm not quite sure how to use it, I read that the default already contains .xhtml along with .class, .jsp, .jspx, .properties.
With the above, I still can access the jsf (xhtml) source.

The old way to put secure jsf sources works, i.e.


will yield HTTP Status 403 - Access to the requested resource has been denied in the browser when trying to access the jsf source (i.e. .xhtml)
Now the first way is much smarter to use (less tags!) - but I wonder if it must be put also inside a security-constraint as well.

I use jBoss-6.0.0.Final with jsf Mojarra reference implementation. The project facet in eclipse is properly set to JSF 2.0 and relative server runtime.

Thanks in advance!
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15952
    
  19

Use the security constraint.

The javax.faces.RESOURCE_EXCLUDES parameter is applied to the FacesServlet in order to control what resources a JSF processing request can pull in. So if anything, I would expect it to interfere with Facelets "include" processing. Unless your FacesServlet URL mappings are strangely-configured, a URL ending with ".xhtml" wouldn't qualify, because it wouldn't be routed to the FacesServlet to begin with.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: JSF 2.0: how to protect jsf sources with javax.faces.RESOURCE_EXCLUDES ?
 
Similar Threads
Problem with RichFaces Calendar control
help regarding url-pattern in jsf
Managed beans aren't constructed running on JBoss 5.1.0 (works fine with Tomcat 6)
Error JSF 2.1: java.io.FileNotFoundException:*/*.xhtml Not Found in ExternalContext
Can't start a simple application