1

I'm using Spring and JSF together. And the integration is been done with SpringBeanFacesELResolver.

I'm annotating a DAO class with @Repository annotation. But it is causing a problem: the DAO class is now visible to XHTML/JSF/JSP files

So, now it's possible to access the Persistence layer from the View layer. And it doesn't seem to be a good approach.

How to solve that?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Marcel
  • 2,810
  • 2
  • 26
  • 46
  • The spring beans were available to your view files from [the second you defined the Spring EL resolver](http://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/jsf/el/SpringBeanFacesELResolver.html). You seem to be missing the point of a DI framework - there's nothing hidden within a DI context. The `@Repository` is just "syntactic sugar" for the benefit of the spring framework - JSF doesn't care or know about that annotation – kolossus Jan 31 '16 at 17:04
  • In this case, is it safe to use Spring, JSF and SpringBeanFacesELResolver together? I am worried that a bad user could handle the xhtml file to access directly the persistence methods, skipping the controller layer. – Marcel Jan 31 '16 at 17:30
  • Protection against malicious users attempting to invoke business methods situated on the persistence layer in any possible way is part of security - completely different. – Tiny Jan 31 '16 at 18:33

2 Answers2

0

Any public class in the classpath will be visible to your JSP/JSF. However as long as you do not import/ use those class from your presentation layer, that won't break the layer based indirection - in my opinion.

As a side note - if your application does not have multiple kinds of clients or multiple transnational resources, most probably you do need a business/ service layer and its valid to call your repository directly from your presentation layers/ controllers.

Fahim Farook
  • 1,482
  • 2
  • 14
  • 38
  • In this case, if "any public class in the classpath will be visible to JSP/JSF", could a bad user handle a JSP/JSF file to access directly the persistence methods, skipping the controller/service layer? – Marcel Jan 31 '16 at 17:40
  • Users of your system must not be having access to your source :) Hope what you meant here is 'bad developers'? The code must be reviewed by peers and leads and identify such bad coding practices before releasing to CST. – Fahim Farook Jan 31 '16 at 18:57
  • Fahim, what I really would like to know is if an user injects code in client side he can call some bean method in server side. – Marcel Jan 31 '16 at 19:09
  • Users cannot 'inject' JSP/JSF or Java code from client side - since they need compilation at server side. However user's can invoke your actions/ rest endpoints via HTTP, but cannot invoke your methods using classnames. – Fahim Farook Feb 01 '16 at 06:00
0

JSF is a server side technology, just do the proper mapping for the faces servlet against the xhtml files. The end user then won't be able to see the source content of any xhtml file, cause all his requests against .xhtml sources will be driven through the faces servlet and thus converted to plain HTML-CSS-javascript combination.

If JSF is your view layer framework (being it the only servlet-mapping declared) no end user will be able to access your service methods, at least not without skipping JSF itself. It will take care of security and basic request validation for you.

Anyway, I don't recommend you accessing Spring beans through xhtml. Just use a managed bean for that, for architectural matters. If you have a look at the Integrating with other web frameworks part of the documentation, you'll find how to grab a Spring bean from a JSF managed bean using the FacesContextUtils class.

Community
  • 1
  • 1
Aritz
  • 30,971
  • 16
  • 136
  • 217