Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

JSF and PrettyFaces - How to restrict direct xhtml requests

I'm new to JSF and PrettyFaces. So by now i found out that i can configure PrettyFaces to "forward" the request to the right .xhtml file. The problem is, that i (or a user, in case he knows my folder structure) also can request the file. This is my sample:

Files: webbapp/mypage.xhtml

I added the following lines to pretty-config.xml:

<url-mapping id="myPageId">
    <pattern value="/prettyurltomypage" />
    <view-id value="/mypage.xhtml" /> 
</url-mapping>

The PrettyFaces Filter is configured to intercept on "/". The Faces Front Controller is configured to process all ".xhtml" requests. When i request...

http://localhost:8080/myapp/prettyurltomypage

...evrything is fine. My problem is, that i can also request...

http://localhost:8080/myapp/mypage.xhtml

How can i restrict the .xhtml requests? My goal is to make jsf/server deliver the default 404 page.

My solution (so far) was to define a rewrite rule in pretty-config.xml:

<rewrite match="/mypage.xhtml" substitute="/prettyurltomypage" redirect="301" />

Is there any other (smarter) way?

like image 574
Alebon Avatar asked Aug 03 '11 09:08

Alebon


2 Answers

It can be done by marking XHTML files as web resources in your deployment descriptor.
To do so, you may add something like this to your web.xml:

<security-constraint>
    <display-name>Restrict direct access to XHTML files</display-name>
    <web-resource-collection>
        <web-resource-name>XHTML files</web-resource-name>
        <url-pattern>*.xhtml</url-pattern>
    </web-resource-collection>
    <auth-constraint/>
</security-constraint>

If you'd like to read more about security constraints there's a brief article on Javalobby.

like image 194
bcsongor Avatar answered Sep 27 '22 20:09

bcsongor


Yeah, if you just want to block access to direct pages, that's probably the best way to go without using something like a custom security package - otherwise, if you just want to make sure the pages are rendered correctly. You can actually just change your faces servlet mapping to .xhtml, which means that your source will not be exposed when people access pages.

<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.faces</url-pattern>
</servlet-mapping>

If you want to do more complicated rewrite rules in order to actually lock down the pages, you could consider using a custom rewrite processor and implement the Processor interface.

http://ocpsoft.com/docs/prettyfaces/3.3.0/en-US/html_single/#inbound_rewriting.options

Custom processors have access to the HttpServletRequest and HttpServletResponse and invoke both on inbound and outbound rewrites: You can do more complicated things with this interface:

/**
 * Perform a rewrite operation on a given URL, utilizing any necessary information from the given {@link RewriteRule}
 * configuration object from which the processor was invoked.
 * 
 * @author Lincoln Baxter, III <[email protected]>
 */
public interface Processor
{
   /**
    * Process an inbound URL Rewrite request. This takes place when the request first comes in to the server and passes
    * through {@link RewriteFilter}
    */
   String processInbound(HttpServletRequest request, HttpServletResponse response, RewriteRule rule, String url);

   /**
    * Process an outbound URL Rewrite request. This takes place when a URL is passed in to
    * {@link HttpServletResponse#encodeRedirectURL(String)}, and since most frameworks ensure the call to
    * 'encodeRedirectUrl()' occurs automatically, can be assumed to occur whenever a URL would be rendered to HTML
    * output.
    */
   String processOutbound(HttpServletRequest request, HttpServletResponse response, RewriteRule rule, String url);
}

Otherwise, what you are doing will work, and until OCPSoft Rewrite https://github.com/ocpsoft/rewrite ( Who are also behind PrettyFaces ) is released, in which case you could do this pretty easily with a simple inbound rewrite rule:

package com.example;
public class ExampleConfigurationProvider extends HttpConfigurationProvider
{

   @Override
   public int priority()
   {
     return 10;
   }

   @Override
   public Configuration getConfiguration(final ServletContext context)
   {
     return ConfigurationBuilder.begin()
       .defineRule()
         .when(Direction.isInbound().and(DispatchType.isRequest()).and(Path.matches(".*\\.xhtml")).andNot(Path.matches(".*javax.faces.resource.*")))
         .perform(SendStatus.code(404));
    }
}

This Rewrite rule will block access to inbound HTTP requests on .XHTML files, while still allowing forwarded, or error, or async requests. It will also leave the JSF2 resources API in a functional state, which is not the case if you use the Java EE Security Constraint as suggested in another answer.

Hope this helps, Lincoln

like image 32
Lincoln Avatar answered Sep 27 '22 22:09

Lincoln