0

how can I put the xhtml files in WEB-INF so that only the application has direct access to them? Specifically, so that the bird pages aren't directly publicly accessible. The project is from an apress example.

project tree:

NetBeansProjects/Birds/
├── build.xml
├── nbproject
│   ├── ant-deploy.xml
│   ├── build-impl.xml
│   ├── genfiles.properties
│   ├── private
│   │   └── private.properties
│   ├── project.properties
│   └── project.xml
├── src
│   ├── conf
│   │   └── MANIFEST.MF
│   └── java
│       └── dur
│           └── Hello.java
└── web
    ├── eagle.xhtml
    ├── faces
    ├── falcon.xhtml
    ├── index.xhtml
    ├── menu.xhtml
    ├── parrot.xhtml
    ├── resources
    │   └── css
    │       ├── cssLayout.css
    │       └── default.css
    ├── template.xhtml
    └── WEB-INF
        └── web.xml

web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
    <context-param>
        <param-name>javax.faces.DEFAULT_SUFFIX</param-name>
        <param-value>.xhtml</param-value>
    </context-param>
    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.xhtml</url-pattern>
    </servlet-mapping>
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <welcome-file-list>
        <welcome-file>index.xhtml</welcome-file>
    </welcome-file-list>
</web-app>

index.xhtml:

<!DOCTYPE    html  PUBLIC "-//W3C//DTD XHTML 1.0  Transitional//EN"  
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:ui="http://java.sun.com/jsf/facelets"
      xmlns:h="http://java.sun.com/jsf/html"
      xmlns:f="http://java.sun.com/jsf/core">

    <body>
        This and everything before will be ignored
        <ui:composition template="template.xhtml">
            <ui:define name="navigation">
                <ui:include src="menu.xhtml"/>
            </ui:define>
        </ui:composition>
        This and everything after will be ignored
    </body>
</html>

menu.xhtml: 

<!DOCTYPE    html  PUBLIC "-//W3C//DTD XHTML 1.0  Transitional//EN"  
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:ui="http://java.sun.com/jsf/facelets"
      xmlns:h="http://java.sun.com/jsf/html"
      xmlns:f="http://java.sun.com/jsf/core">
    <body>
        This and everything before will be ignored
        <ui:composition>
            <h3>Contents table</h3>
            <hr/>
            <h:panelGrid columns="1">
                <h:commandLink value="Home" action="home" />
                <h:commandLink value="Parrot"
                               action="parrot" />
                <h:commandLink value="Eagle"
                               action="eagle" />
                <h:commandLink value="Falcon"
                               action="falcon" />
            </h:panelGrid>
        </ui:composition>
        This and everything after will be ignored
    </body>
</html>

template.xhtml:

<?xml version='1.0' encoding='UTF-8' ?> 
<!DOCTYPE    html  PUBLIC "-//W3C//DTD XHTML 1.0  Transitional//EN"  
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:ui="http://java.sun.com/jsf/facelets"
      xmlns:h="http://java.sun.com/jsf/html"
      xmlns:f="http://java.sun.com/jsf/core">
    <head>
        <title>The Happy Birds Directory</title>
        <style type="text/css">
            <!--
            .box {
                float: right;
                width: 50%;
                border: black dotted 1px;
                padding: 5px
            }
            -->
        </style>
    </head>
    <body>
        <h:form>
            <h1>The Happy Birds Directory</h1>
            <div class="box">
                <ui:insert name="navigation"/>
            </div>
            <ui:insert name="main">
                Welcome to the nest!
            </ui:insert>
        </h:form>
    </body>
</html>

parrot.xhtml: 

<!DOCTYPE    html  PUBLIC "-//W3C//DTD XHTML 1.0  Transitional//EN"  
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:ui="http://java.sun.com/jsf/facelets"
      xmlns:h="http://java.sun.com/jsf/html"
      xmlns:f="http://java.sun.com/jsf/core">
    <body>
        This and everything before will be ignored
        <ui:composition template="template.xhtml">
            <ui:define name="navigation">
                <ui:include src="menu.xhtml"/>
            </ui:define>
            <ui:define name="main">
                <h1>Parrot</h1>
                <p>
                    Parrots are interesting birds...
                </p>
            </ui:define>
        </ui:composition>
        This and everything after will be ignored
    </body>
</html>
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Thufir
  • 8,216
  • 28
  • 125
  • 273

2 Answers2

2

If you want the pages not to be accessed using the address bar, I think the best thing you could do is to avoid redirection in your application, that way the urls won't be displayed to the end user, so won't be bookmarkable. However, this doesn't prevent the end user using a browser side debugger or trying a set of urls and find the one belonging to your page. That happens because you use GET requests to access the views.

If you really want to avoid that you should use POST to navigate from view to view, even this is totally discouraged. Instead of using templating, just access your master page and include your child views dinamically using ui:include and change the location using ajax. This may bring some issues, browser's back button not working properly, for instance.

My advice is to go with the first choice avoiding redirection. What you should put in the WEB-INF directory is the template.xhtml file, it makes no sense for an end user to have direct access to it.

See also:

Community
  • 1
  • 1
Aritz
  • 30,971
  • 16
  • 136
  • 217
1

sorry if i missunderstand your approach!

no need to put the xhtml files in the web-inf Dir since your faces servlet pattern is defined as your above:

<servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.xhtml</url-pattern>
    </servlet-mapping>

in this case, no public user can get the direct/real source of your JSF XHTML files. the Web App Container responses to every call of *.xhtml with the compiled html contents.

also don't worry!

Rami.Q
  • 2,486
  • 2
  • 19
  • 30
  • ok, I like that, that users only get compiled results -- that seems secure enough for my purposes. What misunderstanding do you refer to? – Thufir Sep 29 '14 at 23:34
  • @Thufir: if you would like to make these files not reachable via browser, in this case i misunderstood your purposes.:). – Rami.Q Sep 30 '14 at 12:14