Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Exclude css & image resources in web.xml Security Constraint

Tags:

security

jsf

jakarta-ee

facelets

web.xml

I am using JSF2.1 and Glassfish 3.1.2.

I specify a security constraint to block everything:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Secured Content</web-resource-name>
        <!-- Block all -->
        <url-pattern>/*</url-pattern>
    </web-resource-collection>

    <!-- only users with at least one of these roles are allowed to access the secured content -->
    <auth-constraint>
        <role-name>ADMINISTRATOR</role-name>
    </auth-constraint>
</security-constraint>

and have another to allow access a subset of pages and the resources:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Open Content</web-resource-name>
        <!-- Allow subscribe -->
        <url-pattern>/subscribe/*</url-pattern>
        <url-pattern>/javax.faces.resource/*</url-pattern>
    </web-resource-collection>
    <!-- No Auth Contraint! -->
</security-constraint>

This works fine. However, is the following 

<url-pattern>/javax.faces.resource/*</url-pattern>

the correct way to allow all resources?

I only did this by looking at the url that Facelets injects into the xhtml. Is there security holes with this approach?

Thanks.

like image 766
Tim Avatar asked Dec 04 '12 04:12

Tim

1 Answers

It has to be the value of ResourceHandler#RESOURCE_IDENTIFIER constant. See also its javadoc:

RESOURCE_IDENTIFIER

public static final java.lang.String RESOURCE_IDENTIFIER

Resource#getRequestPath returns the value of this constant as the prefix of the URI. handleResourceRequest(javax.faces.context.FacesContext) looks for the value of this constant within the request URI to determine if the request is a resource request or a view request.

See Also:

Constant Field Values

The constant field values says the following:

public static final java.lang.String    RESOURCE_IDENTIFIER    "/javax.faces.resource"

So, you're absolutely correct as to the URL pattern. There are no security holes, provided that you don't put sensitive information in /resources folder of the public webcontent which is handled by the JSF resource handler.

like image 107
BalusC Avatar answered Sep 19 '22 13:09

BalusC
Sign in to Comment

Related questions

Does hashing and encrypting the same field weakens it?
SecItemCopyMatching memory leaking
What's the point of a javascript API key when it can be seen to anyone viewing the js code
ipad lockdown: launch app on boot?
Cryptography and Authentication via TLS with Web of Trust in Java
How well are Cocoa UI and general framework elements protected against malicious attacks?
How and when to use ClientCert in CFHTTP tag?
How to deal with botnets and automated submissions
Securing passwords in production environment
How to fix buffer overflow return address failure?
Are there other sequences browsers interpret as HTML special characters?
How can I prevent IE form auto-fill from filling in a honeypot field?
Injecting 64 Bit DLL using code cave
Embedded IronPython Security
Internet Explorer blocked this website from displaying content with security certificate errors
Grails how to log security plugin activity
How to restrict access to files in a folder in codeigniter
Pyramid.security: Is getting user info from a database with unauthenticated_userid(request) really secure?
How to properly sanitize content with AntiXss Library?
Return into libc - Illegal instruction

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!