CODEWITHSUNDEEP
javajsfjsf-2
e2k
e2k

Reputation: 133

How to avoid user access to .xhtml page in JSF?

I am new to JSF and writing first simply jsf web app.

URL with .jsf are mapping to .xhtml files in WebContent but why I can open .xhtml in web browser with all jsf tags. How to protect this?

Upvotes: 13

Views: 12707

Answers (5)

chege
chege

Reputation: 323

You can use a servlet filter 

@WebFilter(filterName = "XhtmlFilter", urlPatterns = { "*.xhtml" })
public class XhtmlFilter implements Filter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        ((HttpServletResponse) response).sendError(404);
        chain.doFilter(request, response);
    }

    @Override
    public void destroy() {
    }
}

Upvotes: 1

kreilinger
kreilinger

Reputation: 111

as far as i experienced it, the answer of mk761203 is definitely helpful when setting up a project for google app engine and server faces. without the exclusion of this files, the GAE automatically interpets the files with the .xhtml extension as static files which get served by dedicated servers from googles server farm. read more here: https://developers.google.com/appengine/docs/java/config/appconfig#Static_Files_and_Resource_Files

Upvotes: 0

stacker
stacker

Reputation: 68962

You could add a security constraint to your web.xml blocking all requests to *.xhtml.

<security-constraint>
    <display-name>Restrict raw XHTML Documents</display-name>
    <web-resource-collection>
        <web-resource-name>XHTML</web-resource-name>
        <url-pattern>*.xhtml</url-pattern>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

Upvotes: 20

mk761203
mk761203

Reputation: 76

On GAE you need two things:

  1. edit web.xml as described above
  2. add in appengine-web.xml
<static-files>
    <exclude path="/**.xhtml" />
</static-files>`

Upvotes: 2

BalusC
BalusC

Reputation: 1108722

Apart from defining a <security-constraint> to block direct access to .xhtml files as correctly answered by Stacker on this question, you could also just change the <url-pattern> of the FacesServlet mapping from *.jsf to *.xhtml.

<servlet>
    <servlet-name>facesServlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>facesServlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

In JSF 1.x this used to end up in an infinite loop, but in JSF 2.x not anymore. So you could just call/link all pages as .xhtml without fiddling with different extensions. The only disadvantage is that you won't be able to display a "plain" XHTML file without invoking the FacesServlet, but such a page should be named .html anyway :)

Upvotes: 11

Related Questions