Not seeing .css or images

Splash Forums Rewrite Users Not seeing .css or images

This topic contains 12 replies, has 3 voices, and was last updated by  Lincoln Baxter III 5 years, 1 month ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #18181

    Tony Herstell
    Participant

    I am trying to add basic “security” by limiting the pages a non-logged in users can get to.

    I have got as far as this:

    config.defineRule()
    .when(Direction.isInbound().andNot(
    Path.matches("/pages/users/CRUDUser.xhtml")
    .or(Path.matches("/img/{suffix}").where("suffix").matches(".*")
    .or(Path.matches("/resources/css/{suffix}").where("suffix").matches(".*")
    .or(Path.matches("/pages/error/generalError.xhtml")
    .or(Path.matches("/pages/error/viewExpired.xhtml")
    .or(Path.matches("/pages/landing.xhtml"))))))))
    .perform(Redirect.temporary(context.getContextPath() + "/pages/landing.xhtml"));

    The css and images are not shown for the landing page however.

    Please advise.

    #22173

    Tony Herstell
    Participant

    Also, I am using prettyfaces to smarten up my URLs

    Do I use the pattern or the relative url (as above) in the rules…

    @URLMappings(mappings = { @URLMapping(id = "manageUsers", pattern = "/users/manage", viewId = "/pages/users/manageUsers.xhtml"),
    @URLMapping(id = "registerUser", pattern = "/users/register", viewId = "/pages/users/CRUDUser.xhtml"),
    @URLMapping(id = "createUser", pattern = "/users/create", viewId = "/pages/users/CRUDUser.xhtml"),
    @URLMapping(id = "readUser", pattern = "/users/view", viewId = "/pages/users/CRUDUser.xhtml"),
    @URLMapping(id = "updateUser", pattern = "/users/update", viewId = "/pages/users/CRUDUser.xhtml"),
    @URLMapping(id = "deleteUser", pattern = "/users/delete", viewId = "/pages/users/CRUDUser.xhtml") })

    As I want to allow access to /users/register but NONE of the others this would make things much easier; as the CRUDUser page is heavily reused (as you can see)!

    #22174

    So your CSS works on the other pages, but not the landing page?

    What is different about that page?

    Also, yes you can perform loggedin checks using your own Condition implementation. Use it like you would use Path().

    new HttpCondition() {

    boolean evaluate(HttpServletRewrite event, EvaluationContext context)
    {
    return identity.isLoggedIn();
    }

    }

    #22175

    Tony Herstell
    Participant

    > What is different about that page?

    It has no rules protecting it… :)

    If I go through the landing page and login then go to another page I am fine.

    I am even fine if I just login and go to the landing page.

    The rule only fires if I am not logged in.

    I checkin loggedIn status like this:

    @Inject
    private Identity identity;
    ....
    ConfigurationBuilder config = ConfigurationBuilder.begin();
    if (this.identity.isLoggedIn()) {

    // For now I am happy to allow access to all pages...

    }
    else {
    config.defineRule()
    .when(Direction.isInbound().andNot(
    Path.matches("/img/{suffix}").where("suffix").matches(".*")
    .or(Path.matches("/resources/css/{suffix}").where("suffix").matches(".*")
    .or(Path.matches("/pages/users/CRUDUser.xhtml")
    .or(Path.matches("/pages/error/generalError.xhtml")
    .or(Path.matches("/pages/error/viewExpired.xhtml")
    .or(Path.matches("/pages/landing.xhtml"))))))))
    .perform(Redirect.temporary(context.getContextPath() + "/pages/landing.xhtml"));
    }
    return config;
    }

    I am not sure what the HttpCondition achieves as this loginCheck seems to work too well ;)

    #22176
    config.defineRule()
    .when(
    new HttpCondition() {

    boolean evaluate(HttpServletRewrite event, EvaluationContext context)
    {
    return identity.isLoggedIn();
    }

    }.and(Direction.isInbound().andNot(
    Path.matches("/img/{suffix}").where("suffix").matches(".*")
    .or(Path.matches("/resources/css/{suffix}").where("suffix").matches(".*")
    .or(Path.matches("/pages/users/CRUDUser.xhtml")
    .or(Path.matches("/pages/error/generalError.xhtml")
    .or(Path.matches("/pages/error/viewExpired.xhtml")
    .or(Path.matches("/pages/landing.xhtml"))))))))
    .perform(Redirect.temporary(context.getContextPath() + "/pages/landing.xhtml")));

    If you like, you can just create it as its own class and use it like any other condition.

    Regarding the CSS issue. I think you can figure this out :) There’s one big reason why CSS will not be rendered… because the file cannot be found. I’m guessing that you’re going to see the landing page rendered in the source of your CSS files. If so, your solution should be simple…

    Just figure out which part of the rule is making that happen, and fix it :)

    #22177

    Tony Herstell
    Participant

    What I am seeing is .xhtml being added to all the files

    >> screen.css.xhtml, (being requested from the server)

    I obviously misunderstand what re-write is actually doing.

    My rule was just dealing with the .xhtml pages and I hoped the css/images and other files would be allowed through. But; since they didn’t appear on the page I added the rule in the hope they would be let through (even when not logged in).

    Taking the lines out for the .css etc.

    ConfigurationBuilder config = ConfigurationBuilder.begin();
    config.defineRule()
    .when(
    new HttpCondition() {
    @Override
    public boolean evaluateHttp(HttpServletRewrite event, EvaluationContext context)
    {
    return !identity.isLoggedIn();
    }

    }.and(Direction.isInbound().andNot(
    // Path.matches("/img/{suffix}").where("suffix").matches(".*")
    // .or(Path.matches("/resources/css/{suffix}").where("suffix").matches(".*")
    // .or(Path.matches("/pages/users/CRUDUser.xhtml")
    Path.matches("/pages/users/CRUDUser.xhtml")

    .or(Path.matches("/pages/error/generalError.xhtml")
    .or(Path.matches("/pages/error/viewExpired.xhtml")
    .or(Path.matches("/pages/landing.xhtml")))))))
    .perform(Redirect.temporary(context.getContextPath() + "/pages/landing.xhtml"));
    return config;

    Still finds them rendered as

    >> http://localhost:8080/entermyevents/javax.faces.resource/css/screen.css.xhtml

    I have to conclude I have no real idea what this filter does…

    :/

    #22178

    ” What I am seeing is .xhtml being added to all the files”

    Rewrite has nothing to do with this extension. Theres no magic in Rewrite. It *only* does what you tell it to, so you need to think about what you are telling it ;)

    I do know why this is happening, but I think you will benefit more if you take the time to figure it out. You will have this problem with any security framework unless you figure it out.

    A few clues. CSS resources are requests like any other. JSF serves CSS through a special mechanism. Your rule is very general.

    Let me know what you figure out, then I’ll show you a neat way to deal with this.

    #22179

    Tony Herstell
    Participant

    The only consistent thing I can find is all the resources (when in the right place) have

    javax.faces.resource

    in the path…

    So a rule that “rules out” interfering anything with that string would be useful.

    #22180

    Tony Herstell
    Participant

    Humm…

    @Override
    public Configuration getConfiguration(final ServletContext context) {

    // The standard annotations on my pages will provide
    // "pretty re-write rules".

    ConfigurationBuilder config = ConfigurationBuilder.begin();
    config.defineRule()
    .when(
    new HttpCondition() {
    @Override
    public boolean evaluateHttp(HttpServletRewrite event, EvaluationContext context)
    {
    return !identity.isLoggedIn();
    }

    }.and(Direction.isInbound()
    .andNot(
    new HttpCondition() {
    @Override
    public boolean evaluateHttp(HttpServletRewrite event, EvaluationContext context)
    {
    return event.getRequestPath().contains("javax.faces.resource");
    }}
    .or(Path.matches("/pages/users/CRUDUser.xhtml")
    .or(Path.matches("/pages/error/generalError.xhtml")
    .or(Path.matches("/pages/error/viewExpired.xhtml")
    .or(Path.matches("/pages/error/unauthorisedAccess.xhtml")
    .or(Path.matches("/pages/landing.xhtml")))))))))
    .perform(Redirect.temporary(context.getContextPath() + "/pages/error/unauthorisedAccess.xhtml"));
    return config;
    }

    #22181

    return event.getRequestPath().contains("javax.faces.resource");

    Did that work?

    That’s what I would suggest :) except you can use Path for this as well.

    .or(Path.matches("{any}javax.faces.resource{any}").where("any").matches(.*)

    We’re working on some abbreviated syntax for this.

    #22182

    Tony Herstell
    Participant

    Yes it worked (especially when I put ALL my resources in the right place)

    :)

    Now since I heavilly reuse a page:

    /pages/users/CRUDUser.xhtml

    I need to dig into what available to see if I can find which of these is actually the page useage so I can just allow though Register…

    //Tell prettyfaces to use this bean when the pattern matches and show the manageUsers page. Also support a Query Param (cid).

    @URLMappings(mappings = { @URLMapping(id = "manageUsers", pattern = "/users/manage", viewId = "/pages/users/manageUsers.xhtml"),
    @URLMapping(id = "registerUser", pattern = "/users/register", viewId = "/pages/users/CRUDUser.xhtml"),
    @URLMapping(id = "createUser", pattern = "/users/create", viewId = "/pages/users/CRUDUser.xhtml"),
    @URLMapping(id = "readUser", pattern = "/users/view", viewId = "/pages/users/CRUDUser.xhtml"),
    @URLMapping(id = "updateUser", pattern = "/users/update", viewId = "/pages/users/CRUDUser.xhtml"),
    @URLMapping(id = "deleteUser", pattern = "/users/delete", viewId = "/pages/users/CRUDUser.xhtml") })

    I have conversation scoped data which tells the page which way to render the page:

    private CRUDMode cRUDMode;
    private CreateMode createMode; // CREATE OR REGISTER

    I figure SOMETHING will be available for me to set the rule against.

    ;)

    #22183

    Martin Kouba
    Participant

    .or(Path.matches("{any}javax.faces.resource{any}").where("any").matches(.*) does not work because the ParameterizedPattern used by Path doesn’t support more than one parameters with the same name (actually the last one wins).

    However this works ok:

    .or(Path.matches("{start}javax.faces.resource{end}").where("start").matches(.*).where("end").matches(.*)

    #22184

    Ah, interesting. I’ll have to look in to that. I never considered using two parameters in the same expression might cause problems.

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.

Comments are closed.