Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share
menu search
person
editAsk a Question
Welcome To Ask or Share your Answers For Others

Categories

jsf - Exclude css & image resources in web.xml Security Constraint

in Technique[技术] by (71.8m points)

I am using JSF2.1 and Glassfish 3.1.2.

I specify a security constraint to block everything:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Secured Content</web-resource-name>
        <!-- Block all -->
        <url-pattern>/*</url-pattern>
    </web-resource-collection>

    <!-- only users with at least one of these roles are allowed to access the secured content -->
    <auth-constraint>
        <role-name>ADMINISTRATOR</role-name>
    </auth-constraint>
</security-constraint>

and have another to allow access a subset of pages and the resources:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Open Content</web-resource-name>
        <!-- Allow subscribe -->
        <url-pattern>/subscribe/*</url-pattern>
        <url-pattern>/javax.faces.resource/*</url-pattern>
    </web-resource-collection>
    <!-- No Auth Contraint! -->
</security-constraint>

This works fine. However, is the following 

<url-pattern>/javax.faces.resource/*</url-pattern>

the correct way to allow all resources?

I only did this by looking at the url that Facelets injects into the xhtml. Is there security holes with this approach?

Thanks.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
858 views
Welcome To Ask or Share your Answers For Others

1 Answer

by (71.8m points)

It has to be the value of ResourceHandler#RESOURCE_IDENTIFIER constant. See also its javadoc:

RESOURCE_IDENTIFIER

public static final java.lang.String RESOURCE_IDENTIFIER

Resource#getRequestPath returns the value of this constant as the prefix of the URI. handleResourceRequest(javax.faces.context.FacesContext) looks for the value of this constant within the request URI to determine if the request is a resource request or a view request.

See Also:

Constant Field Values

The constant field values says the following:

public static final java.lang.String    RESOURCE_IDENTIFIER    "/javax.faces.resource"

So, you're absolutely correct as to the URL pattern. There are no security holes, provided that you don't put sensitive information in /resources folder of the public webcontent which is handled by the JSF resource handler.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
thumb_up_alt 0 like thumb_down_alt 0 dislike
Welcome to ShenZhenJia Knowledge Sharing Community for programmer and developer-Open, Learning and Share

Just Browsing Browsing

548k questions

547k answers

4 comments

86.3k users

Most popular tags

Theme made by Momin Raza, Modified by Ostack
Powered by Question2Answer
...