-
1. Re: page.xml files accessible by public
fernando_jmt May 12, 2008 1:21 PM (in response to fredso2000)Did you try something like this (in web.xml):
<security-constraint> <display-name>Restrict XML Documents</display-name> <web-resource-collection> <web-resource-name>XML</web-resource-name> <url-pattern>*.page.xml</url-pattern> </web-resource-collection> <auth-constraint> <role-name>NONE</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>NONE</role-name> </security-role>
HTH.
-
2. Re: page.xml files accessible by public
fredso2000 May 12, 2008 1:46 PM (in response to fredso2000)Tried it but does not work, seems like
<urlpattern...
does not recognise *.page.xmlThe only thing I can do is to restrict all XML files using *.xml which is not ideal.
-
3. Re: page.xml files accessible by public
kellyrob May 13, 2009 5:45 AM (in response to fredso2000)Has anyone got a working solution for this problem? While the <security-constraint> works for securing .xhtml files, the same definition doesn't appear to do anything for .page.xml files. For instance, this security constraint does nothing to prevent loading of .page.xml files, but works for .xhtml.
<security-constraint> <display-name>Restrict XML Documents</display-name> <web-resource-collection> <web-resource-name>XML</web-resource-name> <url-pattern>*.page.xml</url-pattern> </web-resource-collection> <auth-constraint> <role-name>NONE</role-name> </auth-constraint> </security-constraint> <security-constraint> <display-name>Restrict XHTML Documents</display-name> <web-resource-collection> <web-resource-name>XHTML</web-resource-name> <url-pattern>*.xhtml</url-pattern> </web-resource-collection> <auth-constraint> <role-name>NONE</role-name> </auth-constraint> </security-constraint>
-
4. Re: page.xml files accessible by public
yagiz2 Nov 8, 2012 10:12 AM (in response to fredso2000)Did anybody find a solution to this problem? Is there any way to make page.xmls not accessible?
It seems a developer should be able to limit access to files on his server. Do newer versions of Seam (newer than 2.2.2.Final) have this problem too?
--
Yagiz
-
5. Re: page.xml files accessible by public
gebuh Nov 15, 2012 10:18 AM (in response to yagiz2)I never noticed this before, thanx.
I created a filter that matches the uri and generates a 404 error. In web.xml I redirect the 404 to a not found page:
The filter doesn't have to be registered in web.xml.
This could be more encompassing, maybe a mapped list of forbidden files? And it would prolly be better for excluding raw .xhtml files too, the security constraint returns a forbidden access, this tells you the file doesn't exist.
@Startup @Scope(ScopeType.APPLICATION) @Name("rawDocumentAccessFilter") @BypassInterceptors @Filter(within="org.jboss.seam.web.ajax4jsfFilter") public class RawDocumentAccessFilter extends AbstractFilter implements Serializable { @Override public void init(FilterConfig arg0) throws ServletException { // TODO Auto-generated method stub } @Override public void destroy() { // TODO Auto-generated method stub } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if (((HttpServletRequest)request).getRequestURI() != null && ((HttpServletRequest)request).getRequestURI().contains(".page.xml")) { ((HttpServletResponse) response).sendError(HttpServletResponse.SC_NOT_FOUND); } else { chain.doFilter( request, response ); } } }