0

I understand that one of the ways to serve jsf page/resource from any location is via RequestDispatcher#forward()

for example response to http://domain/contextpath/someotherlink.xhtml can be mapped

/WEB-INF/serving.xhtml

resource location with request.getRequestDispatcher("/WEB-INF/serving.xhtml").forward(request, response)

but the location of the mapped page get displayed in the action component like <h:form>

i.e <form method="post" action="/contextpath/WEB_INF/serving.xhtml" > even with OCPsoft Rewrite URLRewriteFilter.

@Alex Tsurika did a offer a sample but JSF Expert @Balusc commented on the security hole of this approach even though he proposed same dispatch approach

Question:

  1. how can this security hole be mitigated, as raised by @Balusc (UPDATE: I guess none as @Balusc cleared it in the comment)

  2. how can <form method="post" action="/contextpath/someotherlink.xhtml" > be displayed instead of <form method="post" action="/contextpath/WEB_INF/serving.xhtml" >

so as to solve the question ask by @Paul H

Is it possible to submit a form that has been rendered from a JSF page location in WEB-INF?

Thanks.

Community
  • 1
  • 1
Cocoa Butter
  • 265
  • 2
  • 4
  • 13
  • 1. Alex's answer was already edited to fix the security hole. See timestamps and edit history. 2. This duplicates Paul's question. – BalusC Nov 30 '16 at 07:48
  • Thank you @BalusC. I update the question. But Paul's question haven't being answered even though it can shed light on the second part of my initial question(I really don't think it a duplicate but even though its similar) – Cocoa Butter Nov 30 '16 at 09:45

0 Answers0