当前位置: 文江博客 话题详情

JSF 和 PrettyFaces - 如何限制直接 xhtml 请求

发布于 2024-11-27 22:13:59 字数 871 浏览 4 评论 0 原文

我是 JSF 和 PrettyFaces 的新手。所以现在我发现我可以配置 PrettyFaces 将请求“转发”到正确的 .xhtml 文件。问题是,我(或用户,如果他知道我的文件夹结构)也可以请求该文件。这是我的示例:

文件: webbapp/mypage.xhtml

我将以下几行添加到 Pretty-config.xml:

<url-mapping id="myPageId">
    <pattern value="/prettyurltomypage" />
    <view-id value="/mypage.xhtml" /> 
</url-mapping>

PrettyFaces 过滤器配置为拦截“/”。 Faces Front Controller 配置为处理所有“.xhtml”请求。当我要求...

http://localhost:8080/myapp/prettyurltomypage

...一切都很好。我的问题是,我也可以请求...

http://localhost:8080/myapp/mypage.xhtml

我如何限制 .xhtml 请求?我的目标是让 jsf/server 提供默认的 404 页面。

我的解决方案(到目前为止)是在 Pretty-config.xml 中定义重写规则:

<rewrite match="/mypage.xhtml" substitute="/prettyurltomypage" redirect="301" />

还有其他(更智能)的方法吗?

原文

I'm new to JSF and PrettyFaces. So by now i found out that i can configure PrettyFaces to "forward" the request to the right .xhtml file. The problem is, that i (or a user, in case he knows my folder structure) also can request the file. This is my sample:

Files:
webbapp/mypage.xhtml

I added the following lines to pretty-config.xml:

<url-mapping id="myPageId">
    <pattern value="/prettyurltomypage" />
    <view-id value="/mypage.xhtml" /> 
</url-mapping>

The PrettyFaces Filter is configured to intercept on "/". The Faces Front Controller is configured to process all ".xhtml" requests. When i request...

http://localhost:8080/myapp/prettyurltomypage

...evrything is fine. My problem is, that i can also request...

http://localhost:8080/myapp/mypage.xhtml

How can i restrict the .xhtml requests? My goal is to make jsf/server deliver the default 404 page.

My solution (so far) was to define a rewrite rule in pretty-config.xml:

<rewrite match="/mypage.xhtml" substitute="/prettyurltomypage" redirect="301" />

Is there any other (smarter) way?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

挽清梦 2024-12-04 22:13:59

这可以通过在部署描述符中将 XHTML 文件标记为 Web 资源来完成。
为此,您可以在 web.xml 中添加如下内容:

<security-constraint>
    <display-name>Restrict direct access to XHTML files</display-name>
    <web-resource-collection>
        <web-resource-name>XHTML files</web-resource-name>
        <url-pattern>*.xhtml</url-pattern>
    </web-resource-collection>
    <auth-constraint/>
</security-constraint>

如果您想了解有关安全约束的更多信息,这里有一个简短的 关于 Javalobby 的文章

It can be done by marking XHTML files as web resources in your deployment descriptor.
To do so, you may add something like this to your web.xml:

<security-constraint>
    <display-name>Restrict direct access to XHTML files</display-name>
    <web-resource-collection>
        <web-resource-name>XHTML files</web-resource-name>
        <url-pattern>*.xhtml</url-pattern>
    </web-resource-collection>
    <auth-constraint/>
</security-constraint>

If you'd like to read more about security constraints there's a brief article on Javalobby.

回复 原文
烙印 2024-12-04 22:13:59

是的,如果您只是想阻止对直接页面的访问,那么这可能是不使用自定义安全包之类的东西的最佳方法 - 否则,如果您只是想确保页面正确呈现。实际上,您只需将 faces servlet 映射更改为 .xhtml,这意味着当人们访问页面时,您的源代码不会被暴露。

<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.faces</url-pattern>
</servlet-mapping>

如果您想要执行更复杂的重写规则以实际锁定页面,您可以考虑使用自定义重写处理器并实现 Processor 接口。

http://ocpsoft.com/docs/prettyfaces/ 3.3.0/en-US/html_single/#inbound_rewriting.options

自定义处理器可以访问 HttpServletRequest 和 HttpServletResponse 并调用两者入站和出站重写:您可以使用此接口做更复杂的事情:

/**
 * Perform a rewrite operation on a given URL, utilizing any necessary information from the given {@link RewriteRule}
 * configuration object from which the processor was invoked.
 * 
 * @author Lincoln Baxter, III <[email protected]>
 */
public interface Processor
{
   /**
    * Process an inbound URL Rewrite request. This takes place when the request first comes in to the server and passes
    * through {@link RewriteFilter}
    */
   String processInbound(HttpServletRequest request, HttpServletResponse response, RewriteRule rule, String url);

   /**
    * Process an outbound URL Rewrite request. This takes place when a URL is passed in to
    * {@link HttpServletResponse#encodeRedirectURL(String)}, and since most frameworks ensure the call to
    * 'encodeRedirectUrl()' occurs automatically, can be assumed to occur whenever a URL would be rendered to HTML
    * output.
    */
   String processOutbound(HttpServletRequest request, HttpServletResponse response, RewriteRule rule, String url);
}

否则,您正在做的事情将会起作用,直到 OCPSoft Rewrite https://github.com/ocpsoft/rewrite(谁也是 PrettyFaces 的幕后推手)已发布,在这种情况下,您可以使用简单的入站重写规则轻松完成此操作:

package com.example;
public class ExampleConfigurationProvider extends HttpConfigurationProvider
{

   @Override
   public int priority()
   {
     return 10;
   }

   @Override
   public Configuration getConfiguration(final ServletContext context)
   {
     return ConfigurationBuilder.begin()
       .defineRule()
         .when(Direction.isInbound().and(DispatchType.isRequest()).and(Path.matches(".*\\.xhtml")).andNot(Path.matches(".*javax.faces.resource.*")))
         .perform(SendStatus.code(404));
    }
}

此重写规则将阻止对入站的访问HTTP 请求在 .XHTML 文件上,同时仍然允许转发、错误或异步请求。它还将使 JSF2 资源 API 处于功能状态,如果您按照另一个答案中的建议使用 Java EE 安全约束,则情况并非如此。

希望这有帮助,
林肯

Yeah, if you just want to block access to direct pages, that's probably the best way to go without using something like a custom security package - otherwise, if you just want to make sure the pages are rendered correctly. You can actually just change your faces servlet mapping to .xhtml, which means that your source will not be exposed when people access pages.

<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.faces</url-pattern>
</servlet-mapping>

If you want to do more complicated rewrite rules in order to actually lock down the pages, you could consider using a custom rewrite processor and implement the Processor interface.

http://ocpsoft.com/docs/prettyfaces/3.3.0/en-US/html_single/#inbound_rewriting.options

Custom processors have access to the HttpServletRequest and HttpServletResponse and invoke both on inbound and outbound rewrites: You can do more complicated things with this interface:

/**
 * Perform a rewrite operation on a given URL, utilizing any necessary information from the given {@link RewriteRule}
 * configuration object from which the processor was invoked.
 * 
 * @author Lincoln Baxter, III <[email protected]>
 */
public interface Processor
{
   /**
    * Process an inbound URL Rewrite request. This takes place when the request first comes in to the server and passes
    * through {@link RewriteFilter}
    */
   String processInbound(HttpServletRequest request, HttpServletResponse response, RewriteRule rule, String url);

   /**
    * Process an outbound URL Rewrite request. This takes place when a URL is passed in to
    * {@link HttpServletResponse#encodeRedirectURL(String)}, and since most frameworks ensure the call to
    * 'encodeRedirectUrl()' occurs automatically, can be assumed to occur whenever a URL would be rendered to HTML
    * output.
    */
   String processOutbound(HttpServletRequest request, HttpServletResponse response, RewriteRule rule, String url);
}

Otherwise, what you are doing will work, and until OCPSoft Rewrite https://github.com/ocpsoft/rewrite ( Who are also behind PrettyFaces ) is released, in which case you could do this pretty easily with a simple inbound rewrite rule:

package com.example;
public class ExampleConfigurationProvider extends HttpConfigurationProvider
{

   @Override
   public int priority()
   {
     return 10;
   }

   @Override
   public Configuration getConfiguration(final ServletContext context)
   {
     return ConfigurationBuilder.begin()
       .defineRule()
         .when(Direction.isInbound().and(DispatchType.isRequest()).and(Path.matches(".*\\.xhtml")).andNot(Path.matches(".*javax.faces.resource.*")))
         .perform(SendStatus.code(404));
    }
}

This Rewrite rule will block access to inbound HTTP requests on .XHTML files, while still allowing forwarded, or error, or async requests. It will also leave the JSF2 resources API in a functional state, which is not the case if you use the Java EE Security Constraint as suggested in another answer.

Hope this helps,
Lincoln

回复 原文
故人的歌 2024-12-04 22:13:59

请参阅以下问题:
http://code.google.com/p/prettyfaces/issues/detail ?id=116

希望这对您有帮助

See the following Issue:
http://code.google.com/p/prettyfaces/issues/detail?id=116

Hope this will help you

回复 原文
~没有更多了~

关于作者

耳钉梦

暂无简介

文章
评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

Promise

文章 0 评论 0

qq_lbRlsh

文章 0 评论 0

待"谢繁草

文章 0 评论 0

yy2010hell

文章 0 评论 0

漫无边际

文章 0 评论 0

傲娇萝莉攻

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文