问题描述

我正在使用JSF2.1和Glassfish 3.1.2。

我指定了一个安全约束来阻止所有内容：

 < security-constraint> 
< web-resource-collection> 
< web-resource-name>安全内容< / web-resource-name> 
<！ - 全部阻止 - > 
< url-pattern> / *< / url-pattern> 
< / web-resource-collection> 
 
<！ - 只允许具有至少一个这些角色的用户访问受保护的内容 - > 
< auth-constraint> 
< role-name> ADMINISTRATOR< / role-name> 
< / auth-constraint> 
< / security-constraint> 
  

并有另一个允许访问页面子集和资源：

 < security-constraint> 
< web-resource-collection> 
< web-resource-name>打开内容< / web-resource-name> 
<！ - 允许订阅 - > 
< url-pattern> / subscribe / *< / url-pattern> 
< url-pattern> /javax.faces.resource / *< / url-pattern> 
< / web-resource-collection> 
<！ -  No Auth Contraint！ - > 
< / security-constraint> 
  

这很好用。但是，以下是

 < url-pattern> /javax.faces.resource / *< / url-pattern> 
  

允许所有资源的正确方式？

谢谢。

它必须是常量。另见：

表示如下：

  public static final java.lang。字符串RESOURCE_IDENTIFIER/javax.faces.resource
  

所以，你对URL模式绝对正确。没有安全漏洞，前提是您没有将敏感信息放在由JSF资源处理程序处理的公共webcontent的 / resources 文件夹中。

I am using JSF2.1 and Glassfish 3.1.2.

I specify a security constraint to block everything:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Secured Content</web-resource-name>
        <!-- Block all -->
        <url-pattern>/*</url-pattern>
    </web-resource-collection>

    <!-- only users with at least one of these roles are allowed to access the secured content -->
    <auth-constraint>
        <role-name>ADMINISTRATOR</role-name>
    </auth-constraint>
</security-constraint>

and have another to allow access a subset of pages and the resources:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Open Content</web-resource-name>
        <!-- Allow subscribe -->
        <url-pattern>/subscribe/*</url-pattern>
        <url-pattern>/javax.faces.resource/*</url-pattern>
    </web-resource-collection>
    <!-- No Auth Contraint! -->
</security-constraint>

This works fine. However, is the following

<url-pattern>/javax.faces.resource/*</url-pattern>

the correct way to allow all resources?

I only did this by looking at the url that Facelets injects into the xhtml. Is there security holes with this approach?

Thanks.

It has to be the value of ResourceHandler#RESOURCE_IDENTIFIER constant. See also its javadoc:

The constant field values says the following:

public static final java.lang.String    RESOURCE_IDENTIFIER    "/javax.faces.resource"

So, you're absolutely correct as to the URL pattern. There are no security holes, provided that you don't put sensitive information in /resources folder of the public webcontent which is handled by the JSF resource handler.

这篇关于排除css& web.xml中的图像资源安全约束的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！