How to avoid user access to .xhtml page in JSF?

Question

I am new to JSF and writing first simply jsf web app.

URL with .jsf are mapping to .xhtml files in WebContent but why I can open .xhtml in web browser with all jsf tags. How to protect this?

Are restrictions additive? For example: Restrict raw XHTML Documents XHTML *.xhtml Auth /* Admin does not restrict raw xhtml-files to be transmitted to Users with — nimo23, Apr 30 '12 at 09:52

score 20 · Accepted Answer · edited Jun 27 '13 at 13:11

20

You could add a security constraint to your web.xml blocking all requests to *.xhtml.

<security-constraint>
    <display-name>Restrict raw XHTML Documents</display-name>
    <web-resource-collection>
        <web-resource-name>XHTML</web-resource-name>
        <url-pattern>*.xhtml</url-pattern>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

edited Jun 27 '13 at 13:11

BalusC

1,082,665
372
3,610
3,555

answered Apr 15 '11 at 11:20

stacker

68,052
28
140
210

BalusC · Answer 2 · 2011-12-16T19:56:44.920

11

Apart from defining a <security-constraint> to block direct access to .xhtml files as correctly answered by Stacker on this question, you could also just change the <url-pattern> of the FacesServlet mapping from *.jsf to *.xhtml.

<servlet>
    <servlet-name>facesServlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>facesServlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

In JSF 1.x this used to end up in an infinite loop, but in JSF 2.x not anymore. So you could just call/link all pages as .xhtml without fiddling with different extensions. The only disadvantage is that you won't be able to display a "plain" XHTML file without invoking the FacesServlet, but such a page should be named .html anyway :)

edited Dec 16 '11 at 19:56

answered Apr 15 '11 at 11:40

BalusC

1,082,665
372
3,610
3,555

@s_t_e_v_e: GAE is an odd beast anyway. – BalusC May 20 '12 at 19:51
2

I do not uderstand, if you define on *.xhtml and set to *.xhtml then how to set xhtml that it would not be blocked? – michal777 Aug 20 '12 at 15:00
3

@michal777: "Apart from ...", so you shouldn't need to define *both*. – BalusC Aug 20 '12 at 15:02

score 2 · Answer 3 · answered Jul 15 '12 at 20:12

2

On GAE you need two things:

edit web.xml as described above
add in appengine-web.xml

<static-files>
    <exclude path="/**.xhtml" />
</static-files>`

answered Jul 15 '12 at 20:12

mk761203

76
3

score 1 · Answer 4 · edited Oct 26 '17 at 14:01

You can use a servlet filter

@WebFilter(filterName = "XhtmlFilter", urlPatterns = { "*.xhtml" })
public class XhtmlFilter implements Filter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        ((HttpServletResponse) response).sendError(404);
        chain.doFilter(request, response);
    }

    @Override
    public void destroy() {
    }
}

score 0 · Answer 5 · answered Jul 01 '13 at 19:03

as far as i experienced it, the answer of mk761203 is definitely helpful when setting up a project for google app engine and server faces. without the exclusion of this files, the GAE automatically interpets the files with the .xhtml extension as static files which get served by dedicated servers from googles server farm. read more here: https://developers.google.com/appengine/docs/java/config/appconfig#Static_Files_and_Resource_Files

How to avoid user access to .xhtml page in JSF?

5 Answers5

Linked