问题描述
我正在使用JSF2.1和Glassfish 3.1.2。
我指定了一个安全约束来阻止所有内容:
< security-constraint>
< web-resource-collection>
< web-resource-name>安全内容< / web-resource-name>
<! - 全部阻止 - >
< url-pattern> / *< / url-pattern>
< / web-resource-collection>
<! - 只允许具有至少一个这些角色的用户访问受保护的内容 - >
< auth-constraint>
< role-name> ADMINISTRATOR< / role-name>
< / auth-constraint>
< / security-constraint>
并有另一个允许访问页面子集和资源:
< security-constraint>
< web-resource-collection>
< web-resource-name>打开内容< / web-resource-name>
<! - 允许订阅 - >
< url-pattern> / subscribe / *< / url-pattern>
< url-pattern> /javax.faces.resource / *< / url-pattern>
< / web-resource-collection>
<! - No Auth Contraint! - >
< / security-constraint>
这很好用。但是,以下是
< url-pattern> /javax.faces.resource / *< / url-pattern>
允许所有资源的正确方式?
谢谢。
它必须是常量。另见:
表示如下:
public static final java.lang。字符串RESOURCE_IDENTIFIER/javax.faces.resource
所以,你对URL模式绝对正确。没有安全漏洞,前提是您没有将敏感信息放在由JSF资源处理程序处理的公共webcontent的 / resources
文件夹中。
I am using JSF2.1 and Glassfish 3.1.2.
I specify a security constraint to block everything:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured Content</web-resource-name>
<!-- Block all -->
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- only users with at least one of these roles are allowed to access the secured content -->
<auth-constraint>
<role-name>ADMINISTRATOR</role-name>
</auth-constraint>
</security-constraint>
and have another to allow access a subset of pages and the resources:
<security-constraint>
<web-resource-collection>
<web-resource-name>Open Content</web-resource-name>
<!-- Allow subscribe -->
<url-pattern>/subscribe/*</url-pattern>
<url-pattern>/javax.faces.resource/*</url-pattern>
</web-resource-collection>
<!-- No Auth Contraint! -->
</security-constraint>
This works fine. However, is the following
<url-pattern>/javax.faces.resource/*</url-pattern>
the correct way to allow all resources?
I only did this by looking at the url that Facelets injects into the xhtml. Is there security holes with this approach?
Thanks.
It has to be the value of ResourceHandler#RESOURCE_IDENTIFIER
constant. See also its javadoc:
The constant field values says the following:
public static final java.lang.String RESOURCE_IDENTIFIER "/javax.faces.resource"
So, you're absolutely correct as to the URL pattern. There are no security holes, provided that you don't put sensitive information in /resources
folder of the public webcontent which is handled by the JSF resource handler.
这篇关于排除css& web.xml中的图像资源安全约束的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!