5 Replies Latest reply on Nov 15, 2012 10:18 AM by gebuh

    page.xml files accessible by public

    fredso2000

      I notice the .page.xml files are accessible to the public by default. I tied adding a security-contraint using a URL pattern:

      .page.xml



      but that does not seem to work. Can anyone pls help.


      Thanks

        • 1. Re: page.xml files accessible by public
          fernando_jmt

          Did you try something like this (in web.xml):



           <security-constraint>
                  <display-name>Restrict XML Documents</display-name>
                  <web-resource-collection>
                      <web-resource-name>XML</web-resource-name>
                      <url-pattern>*.page.xml</url-pattern>
                  </web-resource-collection>
                  <auth-constraint>
                      <role-name>NONE</role-name>
                  </auth-constraint>
              </security-constraint>
              <security-role>
                  <role-name>NONE</role-name>
              </security-role>




          HTH.

          • 2. Re: page.xml files accessible by public
            fredso2000

            Tried it but does not work, seems like
            <urlpattern...
            does not recognise *.page.xml


            The only thing I can do is to restrict all XML files using *.xml which is not ideal.

            • 3. Re: page.xml files accessible by public
              kellyrob

              Has anyone got a working solution for this problem? While the <security-constraint> works for securing .xhtml files, the same definition doesn't appear to do anything for .page.xml files. For instance, this security constraint does nothing to prevent loading of .page.xml files, but works for .xhtml.



                  <security-constraint>
                      <display-name>Restrict XML Documents</display-name>
                      <web-resource-collection>
                          <web-resource-name>XML</web-resource-name>
                          <url-pattern>*.page.xml</url-pattern>
                      </web-resource-collection>
                      <auth-constraint>
                          <role-name>NONE</role-name>
                      </auth-constraint>
                  </security-constraint>
              
                  <security-constraint>
                      <display-name>Restrict XHTML Documents</display-name>
                      <web-resource-collection>
                          <web-resource-name>XHTML</web-resource-name>
                          <url-pattern>*.xhtml</url-pattern>
                      </web-resource-collection>
                      <auth-constraint>
                          <role-name>NONE</role-name>
                      </auth-constraint>
                  </security-constraint>


              • 4. Re: page.xml files accessible by public
                yagiz2

                Did anybody find a solution to this problem? Is there any way to make page.xmls not accessible?

                 

                It seems a developer should be able to limit access to files on his server. Do newer versions of Seam (newer than 2.2.2.Final) have this problem too?

                 

                --

                Yagiz

                • 5. Re: page.xml files accessible by public
                  gebuh

                  I never noticed this before, thanx.

                  I created a filter that matches the uri and generates a 404 error.  In web.xml I redirect the 404 to a not found page:

                  The filter doesn't have to be registered in web.xml.

                  This could be more encompassing, maybe a mapped list of forbidden files?  And it would prolly be better for excluding raw .xhtml files too, the security constraint returns a forbidden access, this tells you the file doesn't exist.

                  @Startup
                  @Scope(ScopeType.APPLICATION)
                  @Name("rawDocumentAccessFilter")
                  @BypassInterceptors
                  @Filter(within="org.jboss.seam.web.ajax4jsfFilter")
                  public class RawDocumentAccessFilter extends AbstractFilter implements Serializable {
                  
                      @Override
                      public void init(FilterConfig arg0) throws ServletException {
                          // TODO Auto-generated method stub
                  
                      }
                  
                      @Override
                      public void destroy() {
                          // TODO Auto-generated method stub
                  
                      }
                  
                      @Override
                      public void doFilter(ServletRequest request, ServletResponse response,
                              FilterChain chain) throws IOException, ServletException {
                  
                          if (((HttpServletRequest)request).getRequestURI() != null && ((HttpServletRequest)request).getRequestURI().contains(".page.xml")) {  
                              ((HttpServletResponse) response).sendError(HttpServletResponse.SC_NOT_FOUND);
                  
                           }  else {
                               chain.doFilter( request, response );
                           }
                  
                      }
                  }