How to avoid user access to .xhtml page in JSF?
Solution 1
You could add a security constraint to your web.xml
blocking all requests to *.xhtml
.
<security-constraint>
<display-name>Restrict raw XHTML Documents</display-name>
<web-resource-collection>
<web-resource-name>XHTML</web-resource-name>
<url-pattern>*.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
Solution 2
Apart from defining a <security-constraint>
to block direct access to .xhtml
files as correctly answered by Stacker on this question, you could also just change the <url-pattern>
of the FacesServlet
mapping from *.jsf
to *.xhtml
.
<servlet>
<servlet-name>facesServlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>facesServlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
In JSF 1.x this used to end up in an infinite loop, but in JSF 2.x not anymore. So you could just call/link all pages as .xhtml
without fiddling with different extensions. The only disadvantage is that you won't be able to display a "plain" XHTML file without invoking the FacesServlet
, but such a page should be named .html
anyway :)
Solution 3
On GAE you need two things:
- edit web.xml as described above
- add in appengine-web.xml
<static-files>
<exclude path="/**.xhtml" />
</static-files>`
Solution 4
You can use a servlet filter
@WebFilter(filterName = "XhtmlFilter", urlPatterns = { "*.xhtml" })
public class XhtmlFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
((HttpServletResponse) response).sendError(404);
chain.doFilter(request, response);
}
@Override
public void destroy() {
}
}
Related videos on Youtube
e2k
Updated on October 27, 2020Comments
-
e2k over 3 years
I am new to JSF and writing first simply jsf web app.
URL with .jsf are mapping to .xhtml files in WebContent but why I can open .xhtml in web browser with all jsf tags. How to protect this?
-
ahvargas about 13 yearsTry to put them under WEB-INF
-
BalusC about 13 years@ahvargas: This doesn't work for JSF.
-
-
BalusC almost 12 years@s_t_e_v_e: GAE is an odd beast anyway.
-
michal777 over 11 yearsI do not uderstand, if you define <security-constraint> on *.xhtml and <url-pattern> set to *.xhtml then how to set xhtml <welcome-file> that it would not be blocked?
-
BalusC over 11 years@michal777: "Apart from ...", so you shouldn't need to define both.