Re: possible security issue

Splash Forums PrettyFaces Users possible security issue Re: possible security issue

#20575

Hey 0swald,

Thanks for mentioning this. It’s definitely a concern, though I might go as far as to say that it’s orthogonal to PrettyFaces in the respect that security should be handled at a resource level.

PrettyFaces exposes an additional resource URL, but cannot “block” the underlying resource by default because that might break existing references; this is what a security package should be used for (as you mentioned as well.)

I think your solution is correct (there are many ways to do this,) but I personally use Seam-Security, and block all .xhtml files according to certain patterns.

You could even use an inbound rewrite rule to forward all non-mapped requests to a specific “access denied page”

<rewrite match="*.xhtml" substitute="/access-denied" redirect="chain" outbound="false"/>

or something like that…

It’s probably worth mentioning in the FAQ / Documentation.

–Lincoln