发表新帖
发表新帖

How to avoid user access to .xhtml page in JSF?

后端 未结
关注
5 1277
终归单人心
终归单人心 2020-12-06 02:05

I am new to JSF and writing first simply jsf web app.

URL with .jsf are mapping to .xhtml files in WebContent but why I can open .xhtml in web browser with all jsf t

相关标签:
5条回答
  • 既然无缘
    2020-12-06 02:08

    You can use a servlet filter 

    @WebFilter(filterName = "XhtmlFilter", urlPatterns = { "*.xhtml" })
public class XhtmlFilter implements Filter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        ((HttpServletResponse) response).sendError(404);
        chain.doFilter(request, response);
    }

    @Override
    public void destroy() {
    }
}
    0 讨论(0)
  • 予麋鹿
    2020-12-06 02:18

    On GAE you need two things:

    1. edit web.xml as described above
    2. add in appengine-web.xml
    <static-files>
    <exclude path="/**.xhtml" />
</static-files>`
    0 讨论(0)
  • 醉酒成梦
    2020-12-06 02:22

    Apart from defining a <security-constraint> to block direct access to .xhtml files as correctly answered by Stacker on this question, you could also just change the <url-pattern> of the FacesServlet mapping from *.jsf to *.xhtml.

    <servlet>
    <servlet-name>facesServlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>facesServlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

    In JSF 1.x this used to end up in an infinite loop, but in JSF 2.x not anymore. So you could just call/link all pages as .xhtml without fiddling with different extensions. The only disadvantage is that you won't be able to display a "plain" XHTML file without invoking the FacesServlet, but such a page should be named .html anyway :)

    0 讨论(0)
  • 日久生厌
    2020-12-06 02:27

    You could add a security constraint to your web.xml blocking all requests to *.xhtml.

    <security-constraint>
    <display-name>Restrict raw XHTML Documents</display-name>
    <web-resource-collection>
        <web-resource-name>XHTML</web-resource-name>
        <url-pattern>*.xhtml</url-pattern>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>
    0 讨论(0)
  • 耶瑟儿~
    2020-12-06 02:32

    as far as i experienced it, the answer of mk761203 is definitely helpful when setting up a project for google app engine and server faces. without the exclusion of this files, the GAE automatically interpets the files with the .xhtml extension as static files which get served by dedicated servers from googles server farm. read more here: https://developers.google.com/appengine/docs/java/config/appconfig#Static_Files_and_Resource_Files

    0 讨论(0)
 看不清?
提交回复
热议问题