Re: possible security issue

Splash Forums PrettyFaces Users possible security issue Re: possible security issue

#20576

domdorn
Participant

3 Solutions:

1)

The easiest solution would be to either move the views (the .xhtml files) directly to the folder protected, e.g. I have a lot of rules like these

<url-mapping id=”upload_exam”>

<pattern>/upload/exam/#{ courseId }</pattern>

<view-id>/upload/exam.xhtml</view-id>

</url-mapping>

or

2)

to simply move your real .xhtml files and the “faces/pages” folder under the WEB-INF directory, so your mappings would look like

<url-mapping id=”upload_exam”>

<pattern>/upload/exam/#{ courseId }</pattern>

<view-id>/WEB-INF/faces/pages/upload/exam.xhtml</view-id>

</url-mapping>

or

3)

<security-constraint>

<display-name>Access Manager Security Constraint</display-name>

<web-resource-collection>

<web-resource-name>AUTHENTICATED_RESOURCE</web-resource-name>

<url-pattern>/faces/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>SECURE</role-name>

</auth-constraint>

<user-data-constraint>

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

</user-data-constraint>

</security-constraint>

this should help :)

http://twitter.com/domdorn ;)