Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Exclude css & image resources in web.xml Security Constraint

I am using JSF2.1 and Glassfish 3.1.2.

I specify a security constraint to block everything:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Secured Content</web-resource-name>
        <!-- Block all -->
        <url-pattern>/*</url-pattern>
    </web-resource-collection>

    <!-- only users with at least one of these roles are allowed to access the secured content -->
    <auth-constraint>
        <role-name>ADMINISTRATOR</role-name>
    </auth-constraint>
</security-constraint>

and have another to allow access a subset of pages and the resources:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Open Content</web-resource-name>
        <!-- Allow subscribe -->
        <url-pattern>/subscribe/*</url-pattern>
        <url-pattern>/javax.faces.resource/*</url-pattern>
    </web-resource-collection>
    <!-- No Auth Contraint! -->
</security-constraint>

This works fine. However, is the following

<url-pattern>/javax.faces.resource/*</url-pattern>

the correct way to allow all resources?

I only did this by looking at the url that Facelets injects into the xhtml. Is there security holes with this approach?

Thanks.

like image 766
Tim Avatar asked Dec 04 '12 04:12

Tim


1 Answers

It has to be the value of ResourceHandler#RESOURCE_IDENTIFIER constant. See also its javadoc:

RESOURCE_IDENTIFIER

public static final java.lang.String RESOURCE_IDENTIFIER

Resource#getRequestPath returns the value of this constant as the prefix of the URI. handleResourceRequest(javax.faces.context.FacesContext) looks for the value of this constant within the request URI to determine if the request is a resource request or a view request.

See Also:

Constant Field Values

The constant field values says the following:

public static final java.lang.String    RESOURCE_IDENTIFIER    "/javax.faces.resource"

So, you're absolutely correct as to the URL pattern. There are no security holes, provided that you don't put sensitive information in /resources folder of the public webcontent which is handled by the JSF resource handler.

like image 107
BalusC Avatar answered Sep 19 '22 13:09

BalusC