将 JSF 前缀更改为后缀映射迫使我在 CSS 背景图像上重新应用映射

发布于 2024-11-26 14:35:47 字数 1699 浏览 2 评论 0原文

我多年来一直使用前缀映射，并决定切换到后缀映射，只是为了真正删除 url 中的 /faces 。我只是想要在给自己挖坑之前检查一下我的方向是否正确发生了一些意想不到的事情。我从这样改变：

<servlet-mapping>
    <servlet-name>FacesServlet</servlet-name>
    <url-pattern>/faces/*</url-pattern>
</servlet-mapping>

到这样：

<servlet-mapping>
    <servlet-name>FacesServlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

然后我看到通过 FacesServlet 的所有内容都有 .xhtml 附加到它，以便浏览器请求 background.png.xhtml 文件， style.css.xhtml 文件 - 这是正确的吗？我想这被称为后缀映射，但它对我来说看起来有点凌乱，我试图说服自己这是要走的路。

在引用 URI 的 CSS 文件中，我还必须附加 .xhtml：

background-image: url(images/background.png.xhtml);

然后我看到了 BalusC 的一篇文章，它提供了一个解决方案来防止不通过 FacesServlet 下载资源：

<security-constraint>
    <display-name>Restrict raw XHTML docs</display-name>
    <web-resource-collection>
        <web-resource-name>XHTML</web-resource-name>
        <url-pattern>*.xhtml</url-pattern>
    </web-resource-collection>
    <auth-constraint/>
</security-constraint>

当我添加此内容时，只有真正的 .xhtml 文件加载到页面上，所有其他资源（尽管附加了 .xhtml）不会显示。

我想知道的是：

这是否将 .xhtml 附加到一切正常的情况（抱歉，如果这些年最愚蠢的问题）
为什么“限制原始 xhtml 文档”安全约束会阻止诸如 CSS、JavaScript 和图像无法加载？

感谢您的任何反馈。我在 Glassfish 3.1 上使用 Mojarra 2.1.2。

原文

I've been using prefix mapping for years and decided to switch to suffix
mapping, just to get rid of the /faces in the url really. I just wanted
to check I'm going in the right direction before I dig myself a hole as
there are a few unexpected things going on. I changed from this:

<servlet-mapping>
    <servlet-name>FacesServlet</servlet-name>
    <url-pattern>/faces/*</url-pattern>
</servlet-mapping>

to this:

<servlet-mapping>
    <servlet-name>FacesServlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

And then I see that everything going through FacesServlet has .xhtml
appended to it, so that the browser is requesting background.png.xhtml files,
style.css.xhtml file - is this right? It is called suffix mapping I suppose,
but it looks a bit untidy to me and I'm trying to convince myself it's
the way to go.

In my CSS files where an URI is referenced I also have to append .xhtml:

background-image: url(images/background.png.xhtml);

Then I saw a post from BalusC that gives a solution to prevent the
download of resources without going via FacesServlet:

<security-constraint>
    <display-name>Restrict raw XHTML docs</display-name>
    <web-resource-collection>
        <web-resource-name>XHTML</web-resource-name>
        <url-pattern>*.xhtml</url-pattern>
    </web-resource-collection>
    <auth-constraint/>
</security-constraint>

When I add this then only real .xhtml files load on the page, all
other resources (despite having .xhtml appended) do not display.

All I want to know is:

Is this appending .xhtml to everything normal (sorry if the years
silliest question)
Why does the 'restrict raw xhtml docs' security constraint prevent resource such as
CSS, JavaScript and images from loading?

Thanks for any feedback. I am using Mojarra 2.1.2 on Glassfish 3.1.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

忆梦 2024-12-03 14:35:47

然后我看到通过 FacesServlet 的所有内容都附加了 .xhtml，因此浏览器正在请求 .png.xhtml 文件、.css.xhtml 文件 - 这是对的吗？

这仅适用于和包含的资源。这与 URL 映射的更改无关。这与从 JSF 1.x 到 JSF 2.x 的更改以及从和

对于您自己的脚本、样式表和其他要从公共网络内容提供的静态内容，您不应该不手动添加.xhtml扩展名。您不需要对现有静态资源进行任何更改。

仅适用于 CSS 背景图像和 CSS 文件中的其他 url() 引用，这些引用将使用标签包含在其中 (因此不适用于

body {
    background-image: url("#{resource['libraryname:path/to/image.png']}");
}

想象一下您有以下内容/resources 文件夹结构：

WebContent
 |-- META-INF
 |-- resources
 |    `-- default
 |         |-- images
 |         |    `-- background.png
 |         `-- css
 |              `-- style.css
 |-- WEB-INF
 `-- test.xhtml

并且您将 style.css 包含在 test.xhtml 中，如下所示

<h:outputStylesheet library="default" name="css/style.css" />

，那么您应该定义背景图像URL 如下

body {
    background-image: url("#{resource['default:images/background.png']}");
}

或者，当您依赖默认库时，因此您没有使用库，那么它应该看起来像这样：

WebContent
 |-- META-INF
 |-- resources
 |    |-- images
 |    |    `-- background.png
 |    `-- css
 |         `-- style.css
 |-- WEB-INF
 `-- test.xhtml

test. xhtml:

<h:outputStylesheet name="css/style.css" />

style.css:

body {
    background-image: url("#{resource['images/background.png']}");
}

作为对于安全约束，当您已经使用 *.xhtml 映射时，不需要。安全约束旨在防止最终用户查看原始 XHTML 源代码。当 FacesServlet 映射到 *.xhtml 以外的模式时的代码。在 /faces/* 映射或重命名 .jsf 的情况下，最终用户只需从 URL 中删除 /faces 部分即可查看 XHTML 源代码 到 .xhtml（如果是 *.jsf 映射）。摆脱安全约束，在您的情况下，情况会变得更糟，因为您已经在使用 *.xhtml 映射，这使得您无法通过破解 URL 来查看原始 XHTML 源代码。

and then I see that everything going through FacesServlet has .xhtml appended to it, so that the browser is requesting .png.xhtml files, .css.xhtml file - is this right?

This only applies to resources included by <h:outputStylesheet> and <h:outputScript>. This is not related to the change in the URL mapping. This is related to the change from JSF 1.x to JSF 2.x and the change from <link rel="stylesheet"> and <script> to the aforementioned JSF2 tags.

For your own scripts, stylesheets and other static stuff which is to be served from the public webcontent, you should not manually add the .xhtml extension. You should not need to change anything with regard to existing static resources.

Only for CSS background images and other url() references in CSS files which is to be included using the <h:outputStylesheet> tag (and thus not for <link rel="stylesheet>), you would need to change the url() location to be dynamically resolved by EL. You would need to use the following syntax instead:

body {
    background-image: url("#{resource['libraryname:path/to/image.png']}");
}

Imagine that you have the following /resources folder structure:

WebContent
 |-- META-INF
 |-- resources
 |    `-- default
 |         |-- images
 |         |    `-- background.png
 |         `-- css
 |              `-- style.css
 |-- WEB-INF
 `-- test.xhtml

and that you're including the style.css in test.xhtml as follows

<h:outputStylesheet library="default" name="css/style.css" />

then you should be defining the background image URL as follows

body {
    background-image: url("#{resource['default:images/background.png']}");
}

Or when you're relying on the default library, thus you aren't using the library, then it should rather look like this:

WebContent
 |-- META-INF
 |-- resources
 |    |-- images
 |    |    `-- background.png
 |    `-- css
 |         `-- style.css
 |-- WEB-INF
 `-- test.xhtml

test.xhtml:

<h:outputStylesheet name="css/style.css" />

style.css:

body {
    background-image: url("#{resource['images/background.png']}");
}

As to the securiry constraint, it is not needed when you're already using the *.xhtml mapping. The security constraint is intended to prevent the enduser from seeing the raw XHTML source code when the FacesServlet is mapped on a pattern other then *.xhtml. The enduser would be able to see the XHTML source code by just removing /faces part from the URL in case of a /faces/* mapping or renaming .jsf to .xhtml in case of a *.jsf mapping. Get rid of the security constraint, it makes in your case things worse as you're already using a *.xhtml mapping which makes it already impossible to see the raw XHTML source code by hacking the URL.