Re: possible security issue

Splash Forums PrettyFaces Users possible security issue Re: possible security issue

#20579

0swald
Participant

Not so easy as it seemed to me :(

Regarding domdorn’s solution #2:

Neither /faces/WEB-INF/* nor /WEB-INF/faces/* mappings do not work. The only possible way to hide original pages under /WEB-INF/ folder is to use extension mapping for Faces Servlet: *.xhtml. In that case one will really have only one (pretty) URL exposed along with known drawbacks:

All JSF resources (css, js, png, jpg, etc) will be rewritten to *.css.xhtml, *.jpg.xhtml etc. I use Apache front-end with mod_jk and mod_cache enabled and serious reconfiguration will be required to tune caching and correct mime-type mappings. This operation is time consuming and should be repeated every time I decide to change or add third-party JSF library (RichFaces, Primefaces, etc)

I have to admit that hiding pages behind WEB-INF is not a solution for me, and both original views and pretty-mapped URLs will be exposed. This approach implies some restrictions regarding security: as I will need to duplicate views and mapped urls in web.xml security mappings, maintaining common patterns in both becomes necessary to simplify security maintenance:

<web-resource-collection>
<web-resource-name>AUTHENTICATED_RESOURCE</web-resource-name>
<!-- Pretty mapped URL -->
<url-pattern>/admin/*</url-pattern>
<!-- Faces resource path -->
<url-pattern>/faces/admin/*</url-pattern>
</web-resource-collection>

http://code.google.com/p/prettyfaces/issues/detail?id=81#c2