File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

JSF 2.0: how to protect jsf sources with javax.faces.RESOURCE_EXCLUDES ?

 
Pasquale Imbemba
Greenhorn
Posts: 5
Eclipse IDE Java Ubuntu
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

inside web.xml, I should be able to protect jsf sources from access using


(to be honest I'm not quite sure how to use it, I read that the default already contains .xhtml along with .class, .jsp, .jspx, .properties.
With the above, I still can access the jsf (xhtml) source.

The old way to put secure jsf sources works, i.e.


will yield HTTP Status 403 - Access to the requested resource has been denied in the browser when trying to access the jsf source (i.e. .xhtml)
Now the first way is much smarter to use (less tags!) - but I wonder if it must be put also inside a security-constraint as well.

I use jBoss-6.0.0.Final with jsf Mojarra reference implementation. The project facet in eclipse is properly set to JSF 2.0 and relative server runtime.

Thanks in advance!
 
Tim Holloway
Saloon Keeper
Pie
Posts: 17616
39
Android Eclipse IDE Linux
  • 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Use the security constraint.

The javax.faces.RESOURCE_EXCLUDES parameter is applied to the FacesServlet in order to control what resources a JSF processing request can pull in. So if anything, I would expect it to interfere with Facelets "include" processing. Unless your FacesServlet URL mappings are strangely-configured, a URL ending with ".xhtml" wouldn't qualify, because it wouldn't be routed to the FacesServlet to begin with.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic