0

When I request /personal/faces/public/login.xhtml, then it works fine, but when I request /personal/public/login.xhtml without /faces I obtain the raw source code of the page.

I would like to avoid that people could see the source code of the page. How can I achieve this?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
theholy
  • 409
  • 2
  • 4
  • 10
  • Related: http://stackoverflow.com/questions/3008395/jsf-facelets-sometimes-i-see-the-url-is-jsf-and-sometimes-xhtml-why/ and http://stackoverflow.com/questions/3112946/jsf-link-results-in-plain-xhtml-file-instead-of-generated-jsf-page – BalusC Mar 15 '13 at 13:48

1 Answers1

3

This is happening because you've specified /faces/* in your FacesServlet configuration in the web.xml. As a result, any file requested that does not match the specified url pattern will be served as a regular file with a GET request Change that config to the following to ensure all JSF related requests go through the FacesServlet:

   <servlet-mapping>
       <servlet-name>Faces Servlet</servlet-name>
       <url-pattern>*.xhtml</url-pattern>
    </servlet-mapping>

This ensures all files with .xhtml extension will be processed before returning to the client.

While the above solution may solve the immediate problem, what you're experiencing points to a deeper security issue. It indicates that anyone with a browser can request and download artifacts from your web application deployment and possibly other parts of your filesystem. This is a security hole you will need to look into. The options vary depending on your App server

kolossus
  • 20,559
  • 3
  • 52
  • 104
  • However, can then add a trailing slash to the URL («path».xthml/) and will still get the source-code (tested in JBoss EAP). So for security you need to configure more than that (or even better stop using JSF legacy). – Jörg Jan 24 '20 at 14:53