I am using JSF2.1 and Glassfish 3.1.2.
I specify a security constraint to block everything:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured Content</web-resource-name>
<!-- Block all -->
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- only users with at least one of these roles are allowed to access the secured content -->
<auth-constraint>
<role-name>ADMINISTRATOR</role-name>
</auth-constraint>
</security-constraint>
and have another to allow access a subset of pages and the resources:
<security-constraint>
<web-resource-collection>
<web-resource-name>Open Content</web-resource-name>
<!-- Allow subscribe -->
<url-pattern>/subscribe/*</url-pattern>
<url-pattern>/javax.faces.resource/*</url-pattern>
</web-resource-collection>
<!-- No Auth Contraint! -->
</security-constraint>
This works fine. However, is the following
<url-pattern>/javax.faces.resource/*</url-pattern>
the correct way to allow all resources?
I only did this by looking at the url that Facelets injects into the xhtml. Is there security holes with this approach?
Thanks.
It has to be the value of ResourceHandler#RESOURCE_IDENTIFIER
constant. See also its javadoc:
RESOURCE_IDENTIFIER
public static final java.lang.String RESOURCE_IDENTIFIER
Resource#getRequestPath
returns the value of this constant as the prefix of the URI.handleResourceRequest(javax.faces.context.FacesContext)
looks for the value of this constant within the request URI to determine if the request is a resource request or a view request.See Also:
Constant Field Values
The constant field values says the following:
public static final java.lang.String RESOURCE_IDENTIFIER "/javax.faces.resource"
So, you're absolutely correct as to the URL pattern. There are no security holes, provided that you don't put sensitive information in /resources
folder of the public webcontent which is handled by the JSF resource handler.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With