How to avoid user access to .xhtml page in JSF?

12,280

Solution 1

You could add a security constraint to your web.xml blocking all requests to *.xhtml.

<security-constraint>
    <display-name>Restrict raw XHTML Documents</display-name>
    <web-resource-collection>
        <web-resource-name>XHTML</web-resource-name>
        <url-pattern>*.xhtml</url-pattern>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

Solution 2

Apart from defining a <security-constraint> to block direct access to .xhtml files as correctly answered by Stacker on this question, you could also just change the <url-pattern> of the FacesServlet mapping from *.jsf to *.xhtml.

<servlet>
    <servlet-name>facesServlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>facesServlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

In JSF 1.x this used to end up in an infinite loop, but in JSF 2.x not anymore. So you could just call/link all pages as .xhtml without fiddling with different extensions. The only disadvantage is that you won't be able to display a "plain" XHTML file without invoking the FacesServlet, but such a page should be named .html anyway :)

Solution 3

On GAE you need two things:

  1. edit web.xml as described above
  2. add in appengine-web.xml
<static-files>
    <exclude path="/**.xhtml" />
</static-files>`

Solution 4

You can use a servlet filter 

@WebFilter(filterName = "XhtmlFilter", urlPatterns = { "*.xhtml" })
public class XhtmlFilter implements Filter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        ((HttpServletResponse) response).sendError(404);
        chain.doFilter(request, response);
    }

    @Override
    public void destroy() {
    }
}
Share:
12,280

Related videos on Youtube

e2k
Author by

e2k

Updated on October 27, 2020

Comments

  • e2k
    e2k over 3 years

    I am new to JSF and writing first simply jsf web app.

    URL with .jsf are mapping to .xhtml files in WebContent but why I can open .xhtml in web browser with all jsf tags. How to protect this?

    • ahvargas
      ahvargas about 13 years
      Try to put them under WEB-INF
    • BalusC
      BalusC about 13 years
      @ahvargas: This doesn't work for JSF.
  • BalusC
    BalusC almost 12 years
    @s_t_e_v_e: GAE is an odd beast anyway.
  • michal777
    michal777 over 11 years
    I do not uderstand, if you define <security-constraint> on *.xhtml and <url-pattern> set to *.xhtml then how to set xhtml <welcome-file> that it would not be blocked?
  • BalusC
    BalusC over 11 years
    @michal777: "Apart from ...", so you shouldn't need to define both.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related