Re: possible security issue

Splash Forums PrettyFaces Users possible security issue Re: possible security issue



Not so easy as it seemed to me :(

Regarding domdorn’s solution #2:

Neither /faces/WEB-INF/* nor /WEB-INF/faces/* mappings do not work. The only possible way to hide original pages under /WEB-INF/ folder is to use extension mapping for Faces Servlet: *.xhtml. In that case one will really have only one (pretty) URL exposed along with known drawbacks:

All JSF resources (css, js, png, jpg, etc) will be rewritten to *.css.xhtml, *.jpg.xhtml etc. I use Apache front-end with mod_jk and mod_cache enabled and serious reconfiguration will be required to tune caching and correct mime-type mappings. This operation is time consuming and should be repeated every time I decide to change or add third-party JSF library (RichFaces, Primefaces, etc)

I have to admit that hiding pages behind WEB-INF is not a solution for me, and both original views and pretty-mapped URLs will be exposed. This approach implies some restrictions regarding security: as I will need to duplicate views and mapped urls in web.xml security mappings, maintaining common patterns in both becomes necessary to simplify security maintenance:

<!-- Pretty mapped URL -->
<!-- Faces resource path -->