Reputation: 21
How to restrict access to /javax.faces.resource.../WEB-INF/web.xml.jsf
From http://www.kb.cert.org/vuls/id/526012:
Partial Directory Traversal Via Resource Identifier (CWE-22): A defect exists that allows for directory traversal within the application. The directory traversal is limited in that it cannot be used to escape from the application and access arbitrary files on the application server
How to restrict access to below path in JSF 2.0 console/javax.faces.resource.../WEB-INF/web.xml.jsf?
Upvotes: 1
Views: 1906
Answers (2)
Reputation: 1108702
This was as per issue 1166 already fixed for long in 2.0.0-b14 (June 2009).
Just make sure that you're using most recent JSF impl/version and that you're not using a beta(!) version of a library in production. JSF 2.0 was officially released along with Java EE 6 on December 2009.
Upvotes: 1
Reputation: 21
Add filter inside this check condition if any request is coming with this value javax.faces.resource... then throw back with security error.
Upvotes: 0
Related Questions
- JSF faces config file outside WEB-INF?
- How to avoid user access to .xhtml page in JSF?
- javax.faces:jsf.js resource returns 404
- Prevent direct access to xhtml files in jsf 2
- How do I protect JSF 2.0 facelets against direct access?
- JSF2 - Flexible way on restrict access on certain xhtml pages, apply simple logic on access
- How to restrict access to certain pages with JSF 2 after user has logged in?
- How to set Faces Servlet mapping with security constraint
- Exclude css & image resources in web.xml Security Constraint
- JSF 2 Access on Facelet Files