3

I am continuing my practices with JSF 2.0. I see templating is a great thing to do, and it has lots of advantages. But today i got a new doubt related to it.

I created a template for my pages. In the template, i use tags for the parts that are different(Those parts will be implemented later in a page using the composition tag in combination one or more define tags). 

<ui:insert name="content" />

Also inside the template, to avoid putting to much code in the template, i create tags to add some other chunks of xhtml.

<ui:include src="/languageChanger.xhtml"/>

This is how my folder structure looks:

enter image description here

It all works as i spect, but when in the url i navigate to languageChanger.xhtml i see the composite chunk of xhtml:

enter image description here

My doubts are:

-Is that chunk of independent code placed in the right place?, Or it is wrong, the user should not be allowed to see that from the URL?

-Is that place save to have other components like login, register...?

-To avoid user access directly the component i could place it in WEB-INF folder, but then i have a problem that the include tag does not find the path. What should i do?

-What would be the best practice, where to place this independent chunks of code?

javing
  • 12,307
  • 35
  • 138
  • 211

2 Answers2

5

Is that chunk of independent code placed in the right place?, Or it is wrong, the user should not be allowed to see that from the URL?

Put it somewhere in /WEB-INF. Direct access to this folder is disallowed by the container.

Is that place save to have other components like login, register...?

I don't understand you. Perhaps you meant to say "safe" instead of "save"? What do you mean with "other components"?

To avoid user access directly the component i could place it in WEB-INF folder, but then i have a problem that the include tag does not find the path. What should i do?

Your path was apparently plain wrong. Facelet templates, includes, tags and compositions (not composite components) can perfectly be placed in /WEB-INF.

What would be the best practice, where to place this independent chunks of code?

Put it in /WEB-INF. Best practice is to use absolute paths, i.e. start the path with /. It will be resolved relative to the webcontent root. E.g.

<ui:include src="/WEB-INF/languageChanger.xhtml" />

Only the "main" page (the one which is to be requested by URL) cannot be placed in /WEB-INF.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • Hmm, this is quite wicked; Mojarra uses the `DefaultFacelet.getRelativePath()` to fetch the resource URL, and this method can return absolute paths instead of relative ones (as opposed to its name), allowing your answer to be correct. – Vineet Reynolds Aug 14 '11 at 23:02
  • @BalusC Yes it worked. I just placed that chunk of code in the WEB-INF folder and worked with no problem, my mistake was in the path given at the include tag. But i still a bit confused what things are accessible at WEB-INF and what are not :) – javing Aug 15 '11 at 00:12
  • Things in `/WEB-INF` are accessible to the webapp itself, but not to the outside world. You cannot open http://example.com/context/WEB-INF/whatever by a webbrowser. The same applies to `/META-INF`. It would otherwise have been a security hole if for example `web.xml` was exposed in public that way. – BalusC Aug 15 '11 at 00:48
  • I understand, there needs to be a safe place like that for the config files... :) Thanks! – javing Aug 15 '11 at 07:59
1

For your first two questions:

  • Is that chunk of independent code placed in the right place?, Or it is wrong, the user should not be allowed to see that from the URL?

  • Is that place save to have other components like login, register...?

The templates and the default content used by them are in the right place. They must be present under the web application's document root, and not elsewhere.

For your last two questions:

  • To avoid user access directly the component i could place it in WEB-INF folder, but then i have a problem that the include tag does not find the path. What should i do?

  • What would be the best practice, where to place this independent chunks of code?

The partial answer is provided above, where the need to place included files under the document root has been mentioned. The "resource resolver" used by the JSF runtime, requires that the facelet be present under the document root of the application. Facelets cannot be placed in WEB-INF for this reason.

If you need to prevent users from accessing these pages directly, then you must write a web-application filter to prevent access to these pages.

The Mojarra runtime does not internally forward any HTTP requests to a template resource; instead, it includes the contents of the file, retrieved as a stream. This implies that you need not restrict the filter to dispatch types of REQUEST alone; you can apply the filter to all dispatch types.

Placing all templates and the included facelets, in a /templates directory would make it easier to apply the filter on a single URL - /templates/*.

Vineet Reynolds
  • 76,006
  • 17
  • 150
  • 174
  • Now i pretty well understand. I think there is no even reason to worry about some type of security issue with those components, it is more like an stetic issue. Anyway,to fell more safe, i think it would be good idea to write the filter you mentioned to avoid direct access via the URL. – javing Aug 14 '11 at 21:58
  • @sfrj, if you need to know how to implement the filter, take a look at [this recent commit](https://bitbucket.org/VineetReynolds/galleria/changeset/3852233d2057) in one of my projects. The files to look for are `ResourceFilter` and `web.xml`. – Vineet Reynolds Aug 14 '11 at 22:13
  • Thanks for the link. I did implement a similar filter in the past. I did application managed security once, so more or less i know what i should do. Thanks for your help. – javing Aug 15 '11 at 00:08