本文介绍了排除css& web.xml中的图像资源安全约束的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在使用JSF2.1和Glassfish 3.1.2。



我指定了一个安全约束来阻止所有内容:

 < security-constraint> 
< web-resource-collection>
< web-resource-name>安全内容< / web-resource-name>
<! - 全部阻止 - >
< url-pattern> / *< / url-pattern>
< / web-resource-collection>

<! - 只允许具有至少一个这些角色的用户访问受保护的内容 - >
< auth-constraint>
< role-name> ADMINISTRATOR< / role-name>
< / auth-constraint>
< / security-constraint>

并有另一个允许访问页面子集和资源:

 < security-constraint> 
< web-resource-collection>
< web-resource-name>打开内容< / web-resource-name>
<! - 允许订阅 - >
< url-pattern> / subscribe / *< / url-pattern>
< url-pattern> /javax.faces.resource / *< / url-pattern>
< / web-resource-collection>
<! - No Auth Contraint! - >
< / security-constraint>

这很好用。但是,以下是

 < url-pattern> /javax.faces.resource / *< / url-pattern> 

允许所有资源的正确方式?





谢谢。

解决方案

它必须是常量。另见:

表示如下:

  public static final java.lang。字符串RESOURCE_IDENTIFIER/javax.faces.resource

所以,你对URL模式绝对正确。没有安全漏洞,前提是您没有将敏感信息放在由JSF资源处理程序处理的公共webcontent的 / resources 文件夹中。


I am using JSF2.1 and Glassfish 3.1.2.

I specify a security constraint to block everything:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Secured Content</web-resource-name>
        <!-- Block all -->
        <url-pattern>/*</url-pattern>
    </web-resource-collection>

    <!-- only users with at least one of these roles are allowed to access the secured content -->
    <auth-constraint>
        <role-name>ADMINISTRATOR</role-name>
    </auth-constraint>
</security-constraint>

and have another to allow access a subset of pages and the resources:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Open Content</web-resource-name>
        <!-- Allow subscribe -->
        <url-pattern>/subscribe/*</url-pattern>
        <url-pattern>/javax.faces.resource/*</url-pattern>
    </web-resource-collection>
    <!-- No Auth Contraint! -->
</security-constraint>

This works fine. However, is the following

<url-pattern>/javax.faces.resource/*</url-pattern>

the correct way to allow all resources?

I only did this by looking at the url that Facelets injects into the xhtml. Is there security holes with this approach?

Thanks.

解决方案

It has to be the value of ResourceHandler#RESOURCE_IDENTIFIER constant. See also its javadoc:

The constant field values says the following:

public static final java.lang.String    RESOURCE_IDENTIFIER    "/javax.faces.resource"

So, you're absolutely correct as to the URL pattern. There are no security holes, provided that you don't put sensitive information in /resources folder of the public webcontent which is handled by the JSF resource handler.

这篇关于排除css&amp; web.xml中的图像资源安全约束的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-25 09:53