我正在使用JSF2.1和Glassfish 3.1.2.
我指定一个安全约束来阻止一切:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured Content</web-resource-name>
<!-- Block all -->
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- only users with at least one of these roles are allowed to access the secured content -->
<auth-constraint>
<role-name>ADMINISTRATOR</role-name>
</auth-constraint>
</security-constraint>
并有另一个允许访问页面和资源的子集:
<security-constraint>
<web-resource-collection>
<web-resource-name>Open Content</web-resource-name>
<!-- Allow subscribe -->
<url-pattern>/subscribe/*</url-pattern>
<url-pattern>/javax.faces.resource/*</url-pattern>
</web-resource-collection>
<!-- No Auth Contraint! -->
</security-constraint>
这很好用.但是,如下
<url-pattern>/javax.faces.resource/*</url-pattern>
允许所有资源的正确方法?
我只是通过查看Facelets注入xhtml的url来做到这一点.这种方法有安全漏洞吗?
谢谢.
我正在开发一个JSF 2项目.我已将login.xhtml页面定义为web.xml中的入口页面
<welcome-file-list>
<welcome-file>login.xhtml</welcome-file>
</welcome-file-list>
我还有一个过滤器来检查用户是否已登录
@WebFilter(filterName = "loginCheckFilter", urlPatterns={"/*"})
public class LoginCheckFilter implements Filter
{
@Inject
private LoginStatus loginStatus;
public void do Filter(...)
{
try{
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
String path = req.getRequestURI();
if(StringUtils.isNotBlank(path)
&& StringUtils.contains(path, ".xhtml")
&& !StringUtils.endsWith(path, "login.xhtml"))
{
if(loginStatus == null
|| !loginStatus.isLoggedIn())
{
res.sendRedirect(req.getContextPath() + "/login.xhtml");
}
else
{
chain.doFilter(request, response);
}
}
else
{
chain.doFilter(request, response);
}
}catch (Exception ex)
{
log.error(ex);
}
}
.... ....
}
我的css文件以下列风格引用: …