You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@myfaces.apache.org by sarma <ss...@mahindrabt.com> on 2006/06/23 16:14:11 UTC
how i protect my jsf pages from direct access
I want to protect these pages :
/utilisateur.*
/menugen.*
sniplet of my web.xml and it security section:
<web-app>
....
<welcome-file-list>
<welcome-file>index.jsf</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>
Prevent access to raw JSP pages that are for JSF
pages.
</display-name>
<web-resource-collection>
<web-resource-name>Raw-JSF-JSP-Pages</web-resource-name>
<!-- Add url-pattern for EACH raw JSP page -->
<url-pattern>/utilisateur.*</url-pattern>
<url-pattern>/menugen.*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>No roles, so no direct
access</description>
</auth-constraint>
</security-constraint>
</web-app>
When i directly type the URL :
http://localhost:9000/supLegerWebJSF/utilisateur.jsf
the page is shown !
what did i miss ?
JL PASTUREL
--
View this message in context: http://www.nabble.com/how-i-protect-my-jsf-pages-from-direct-access-t1836501.html#a5012556
Sent from the MyFaces - Users forum at Nabble.com.
Re: how i protect my jsf pages from direct access
Posted by sarma <ss...@mahindrabt.com>.
even though i put it in directory it is not working in tomcat 5.0
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>ChartCreatorWebApp</display-name>
<security-constraint>
<web-resources-collection>
<web-resources-name>protected</web-resources-name>
<url-pattern>/protected/*.jsp</url-pattern>
</web-resources-collection>
</security-constraint>
<welcome-file-list>
<welcome-file>first.jsp</welcome-file>
</welcome-file-list>
<resource-ref>
<description>Oracle Datasource example</description>
<res-ref-name>jdbc/myoracle</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
</web-app>
here i am able to access
http://localhost:8080/protected/second.jsp
--
View this message in context: http://www.nabble.com/how-i-protect-my-jsf-pages-from-direct-access-t1836501.html#a5035684
Sent from the MyFaces - Users forum at Nabble.com.
Re: how i protect my jsf pages from direct access
Posted by Matt Raible <mr...@gmail.com>.
Container managed authentication (CMA) only supports path-based or
extension-based mappings. That means the following works:
/directory/* (path-based)
*.jsp (extension-based)
And that's it. For this reason, I recommend using something like
Acegi Security or SecurityFilter - they're much more flexible.
Matt
On 6/23/06, sarma <ss...@mahindrabt.com> wrote:
>
> I want to protect these pages :
> /utilisateur.*
> /menugen.*
>
> sniplet of my web.xml and it security section:
> <web-app>
> ....
> <welcome-file-list>
> <welcome-file>index.jsf</welcome-file>
> <welcome-file>index.jsp</welcome-file>
> <welcome-file>index.html</welcome-file>
> </welcome-file-list>
> <security-constraint>
> <display-name>
> Prevent access to raw JSP pages that are for JSF
> pages.
> </display-name>
> <web-resource-collection>
>
> <web-resource-name>Raw-JSF-JSP-Pages</web-resource-name>
> <!-- Add url-pattern for EACH raw JSP page -->
> <url-pattern>/utilisateur.*</url-pattern>
> <url-pattern>/menugen.*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <description>No roles, so no direct
> access</description>
> </auth-constraint>
> </security-constraint>
> </web-app>
>
>
> When i directly type the URL :
> http://localhost:9000/supLegerWebJSF/utilisateur.jsf
> the page is shown !
> what did i miss ?
> JL PASTUREL
>
>
>
>
> --
> View this message in context: http://www.nabble.com/how-i-protect-my-jsf-pages-from-direct-access-t1836501.html#a5012556
> Sent from the MyFaces - Users forum at Nabble.com.
>
>