All geek questions in one place

Security Limit and Welcome File

In my web.xml, I use something like this:

<security-constraint> <web-resource-collection> <web-resource-name>Block all</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint /> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Allow facelets</web-resource-name> <url-pattern>/faces/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint>

All incoming requests are blocked, except for those starting with / faces /. I do this because otherwise unauthorized users can access the facelets source files.

It works fine, but the welcome file is not displayed, because even the root path is locked. I tried adding <url-pattern>/</url-pattern> to the second security constraint, but nothing.

+4
source share
2 answers

If you can, map the FacesServlet in the suffix pattern. When you're still on JSF 1.x, draw it on *.jsf . Then you can simply block access to *.xhtml with this security restriction. When you are already in JSF 2.0 (your background confirms this), simply draw it in *.xhtml . Unlike JSF 1.x, FacesServlet will not work in an infinite loop with this. Thus, you do not need any security restrictions at all. The only thing is that you cannot serve XHTML "plain vanilla" files without the participation of FacesServlet . But to do this does not make any sense in any case, such a file should be like *.html in any case.

PS: Thank you for pointing out another reason why the prefix pattern /faces/* sucks;)

+1
source

It works fine, but it does not show the welcome file, because even the root path is locked. I tried adding / to the second security constraint, but nothing.

In this case, it should work. I tested it on my machine, it does not work for the first time. until we restart the application server. then it behaves as expected.

0
source

Source: https://habr.com/ru/post/1341240/

More articles:


All Articles