java 如何避免用户访问 JSF 中的 .xhtml 页面?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5675271/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to avoid user access to .xhtml page in JSF?
提问by e2k
I am new to JSF and writing first simply jsf web app.
我是 JSF 的新手,首先简单地编写了 jsf Web 应用程序。
URL with .jsf are mapping to .xhtml files in WebContent but why I can open .xhtml in web browser with all jsf tags. How to protect this?
带有 .jsf 的 URL 映射到 WebContent 中的 .xhtml 文件,但为什么我可以在带有所有 jsf 标签的 Web 浏览器中打开 .xhtml。这个怎么保护?
回答by stacker
You could add a security constraint to your web.xmlblocking all requests to *.xhtml.
您可以为web.xml阻止对*.xhtml.
<security-constraint>
<display-name>Restrict raw XHTML Documents</display-name>
<web-resource-collection>
<web-resource-name>XHTML</web-resource-name>
<url-pattern>*.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
回答by BalusC
Apart from defining a <security-constraint>to block direct access to .xhtmlfiles as correctly answered by Stacker on this question, you could also just change the <url-pattern>of the FacesServletmapping from *.jsfto *.xhtml.
除了定义 a<security-constraint>以阻止直接访问.xhtml文件,正如 Stacker 在此问题上正确回答的那样,您还可以<url-pattern>将FacesServlet映射的更改*.jsf为*.xhtml。
<servlet>
<servlet-name>facesServlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>facesServlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
In JSF 1.x this used to end up in an infinite loop, but in JSF 2.x not anymore. So you could just call/link all pages as .xhtmlwithout fiddling with different extensions. The only disadvantage is that you won't be able to display a "plain" XHTML file without invoking the FacesServlet, but such a page should be named .htmlanyway :)
在 JSF 1.x 中,这曾经以无限循环结束,但在 JSF 2.x 中不再如此。因此,您可以调用/链接所有页面,.xhtml而无需摆弄不同的扩展名。唯一的缺点是您将无法在不调用 的情况下显示“纯”XHTML 文件FacesServlet,但.html无论如何都应该命名这样的页面:)
回答by mk761203
On GAE you need two things:
在 GAE 上,您需要做两件事:
- edit web.xml as described above
- add in appengine-web.xml
- 如上所述编辑 web.xml
- 添加 appengine-web.xml
<static-files>
<exclude path="/**.xhtml" />
</static-files>`
回答by chege
You can use a servlet filter
您可以使用 servlet 过滤器
@WebFilter(filterName = "XhtmlFilter", urlPatterns = { "*.xhtml" })
public class XhtmlFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
((HttpServletResponse) response).sendError(404);
chain.doFilter(request, response);
}
@Override
public void destroy() {
}
}
回答by kreilinger
as far as i experienced it, the answer of mk761203 is definitely helpful when setting up a project for google app engine and server faces. without the exclusion of this files, the GAE automatically interpets the files with the .xhtml extension as static files which get served by dedicated servers from googles server farm. read more here: https://developers.google.com/appengine/docs/java/config/appconfig#Static_Files_and_Resource_Files
就我的经历而言,mk761203 的答案在为谷歌应用引擎和服务器端设置项目时绝对有帮助。如果不排除此文件,GAE 会自动将扩展名为 .xhtml 的文件插入为静态文件,这些文件由谷歌服务器场的专用服务器提供服务。在此处阅读更多信息:https: //developers.google.com/appengine/docs/java/config/appconfig#Static_Files_and_Resource_Files
