-
1. Re: How to forbid any user to directly ping xhtml file?
niox.nikospara.yahoo.com May 26, 2009 11:01 PM (in response to titou09)They have solved it in Seam-gen :)
In web.xml:
<security-constraint> <display-name>Restrict raw XHTML Documents</display-name> <web-resource-collection> <web-resource-name>XHTML</web-resource-name> <url-pattern>*.xhtml</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint>
-
2. Re: How to forbid any user to directly ping xhtml file?
titou09 May 26, 2009 11:07 PM (in response to titou09)This does not work because
- the user need to be loggued for this to work. There must be a
security context
to trigger thesecurity-constraint
rules (At least in websphere). Not all of our pages requires to be loggued. - with this, when the user is loggued and try to ping directly an xhtml page, he will receive a
403-not authorized
response instead of a404-not-found
page as it should.
- the user need to be loggued for this to work. There must be a
-
3. Re: How to forbid any user to directly ping xhtml file?
luxspes May 27, 2009 1:06 AM (in response to titou09)AFAIK this is already handled in the web.xml generated by default by seam-gen:
<security-constraint> <display-name>Restrict raw XHTML Documents</display-name> <web-resource-collection> <web-resource-name>XHTML</web-resource-name> <url-pattern>*.xhtml</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint>
-
4. Re: How to forbid any user to directly ping xhtml file?
niox.nikospara.yahoo.com May 27, 2009 11:05 AM (in response to titou09)Websphere :(
The <security-constraint> works on JBoss.
Anyway, why don't you try a simple servlet, mapped to *.xhtml that always responds with response.sendError(HttpServletResponse.SC_NOT_FOUND).
-
5. Re: How to forbid any user to directly ping xhtml file?
luxspes May 27, 2009 3:03 PM (in response to titou09)It works in tomcat for me... and this is not JBoss specific, it works in Tomcat, and in Glassfish, and in WebLogic...
-
6. Re: How to forbid any user to directly ping xhtml file?
titou09 May 28, 2009 12:48 AM (in response to titou09)I've declared a filter assigned to the *.xhtml uri, before the seam filter. This filter just redirect the user to the 404
page not found
error pageI'm curious to know how tomcat is redirecting the user to the 404
page not found
error page and not to the 403not authorized
page in this case...
Is there a tomcat configuration elsewhere to specify where to redirect the user in this case?