哪些 XHTML 文件需要放入 /WEB-INF 中，哪些不需要？

发布于 2024-12-29 07:34:33 字数 947 浏览 1 评论 0原文

在这些问题之后：

https://stackoverflow.com/questions/8589315/jsf2-dynamic-template
< a href="https://stackoverflow.com/questions/8786793/dynamic-uiinclude">动态 ui:include
如何检索 @WindowScoped 上的对象？
如何检查是否使用 @WindowScoped 存储的对象是否正确存储？
ICE Faces 和在 WindowScoped 中创建 bean 时出现的错误

，我编写这些都是为了解决 JSF2 框架的“愚蠢”问题，事实上我无法直接链接到存储在/WEB-INF 子文件夹。之后我在 Google 和 Stackoverflow 上做了一些研究，我知道了一件事：如何构建一个 JSF2 Web 项目？

特别是，我到底应该把 XHTML 页面放在哪里？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

稀香 2025-01-05 07:34:33

/WEB-INF 文件夹中的文件确实不能被最终用户公开访问。所以你不能有像 http://localhost:8080/contextname/WEB-INF/some.xhtml 这样的东西。这将是一个潜在的安全漏洞，因为最终用户将能够查看 /WEB-INF/web.xml 等内容。

但是，您可以使用 /WEB-INF 文件夹来放置主模板文件、包含文件和标记文件。例如，放置以下模板客户端 page.xhtml在 /WEB-INF 外部，可通过 http://localhost:8080/contextname/page.xhtml 访问：

<ui:composition template="/WEB-INF/templates/template.xhtml"
    xmlns="http://www.w3.org/1999/xhtml"
    xmlns:f="http://java.sun.com/jsf/core"
    xmlns:h="http://java.sun.com/jsf/html"
    xmlns:ui="http://java.sun.com/jsf/facelets"
>
    <ui:define name="content">
        ...
        <ui:include src="/WEB-INF/includes/include.xhtml" />
        ...
    </ui:define>
</ui:composition>

将主模板和包含文件放在 中的优点/WEB-INF 是最终用户无法通过在浏览器地址栏中输入/猜测其 URL 来直接打开它们。直接访问的普通页面和模板客户端不得放置在/WEB-INF文件夹中。

顺便说一句，复合组件文件也不应该公开访问，但是根据规范，它们需要放置在默认情况下可公开访问的 /resources 文件夹中。如果您确保使用因此提供的组件访问所有资源以便它们永远不会被 URL 中的 /resources 访问（而是通过 /javax.faces.resource），然后您可以添加对 web.xml 进行以下约束，以阻止对 /resources 文件夹的所有公共访问：

<security-constraint>
    <display-name>Restrict direct access to the /resources folder.</display-name>
    <web-resource-collection>
        <web-resource-name>The /resources folder.</web-resource-name>
        <url-pattern>/resources/*</url-pattern>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

Files in /WEB-INF folder are indeed not publicly accessible by enduser. So you cannot have something like http://localhost:8080/contextname/WEB-INF/some.xhtml. That would be a potential security hole as the enduser would be able to view among others /WEB-INF/web.xml and so on.

You can however use the /WEB-INF folder to put master template files, include files and tag files in. For example, the following template client page.xhtml which is placed outside /WEB-INF and is accessible by http://localhost:8080/contextname/page.xhtml:

<ui:composition template="/WEB-INF/templates/template.xhtml"
    xmlns="http://www.w3.org/1999/xhtml"
    xmlns:f="http://java.sun.com/jsf/core"
    xmlns:h="http://java.sun.com/jsf/html"
    xmlns:ui="http://java.sun.com/jsf/facelets"
>
    <ui:define name="content">
        ...
        <ui:include src="/WEB-INF/includes/include.xhtml" />
        ...
    </ui:define>
</ui:composition>

The advantage of placing master templates and include files in /WEB-INF is that the enduser won't be able to open them directly by entering/guessing its URL in the browser addres bar. The normal pages and template clients which are intented to be accessed directly must not be placed in /WEB-INF folder.

By the way, the composite component files are in turn also not supposed to be publicly accessible, however they are by specification required to be placed in /resources folder which is by default publicly accesible. If you make sure that you access all resources using the therefor provided components so that they are never accessed by /resources in URL (but instead by /javax.faces.resource), then you can add the following constraint to web.xml to block all public access to the /resources folder:

<security-constraint>
    <display-name>Restrict direct access to the /resources folder.</display-name>
    <web-resource-collection>
        <web-resource-name>The /resources folder.</web-resource-name>
        <url-pattern>/resources/*</url-pattern>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

回复收藏 0 原文

~没有更多了~