6 Replies Latest reply on May 28, 2009 12:48 AM by titou09

    How to forbid any user to directly ping xhtml file?

    titou09
    titou09 May 26, 2009 8:47 PM

      If a user enters an adress like http://<serveur>/App/any-valid-page-name.xhtml in  its browser, by default the xhtml source file will be displayed which is obvisouly not what we want.


      I'm thinking of three ways to solve this and to send back a nice 404-page not found to the user



      • write a filter mapped to *.xhtml before the seam filter and redirect to the page not found page if called

      • declare a seam  filter thanks to the @Filter annotation (But will this interfere with seam?)

      • use some kind of declaration in page.xml?



      How are you guys dealing with this problem?


      Thx

      • 345 Views
      • Tags:
        • 1. Re: How to forbid any user to directly ping xhtml file?
          niox.nikospara.yahoo.com
          niox.nikospara.yahoo.com May 26, 2009 11:01 PM (in response to titou09)

          They have solved it in Seam-gen :)


          In web.xml:


               <security-constraint>
          <display-name>Restrict raw XHTML Documents</display-name>
          <web-resource-collection>
               <web-resource-name>XHTML</web-resource-name>
               <url-pattern>*.xhtml</url-pattern>
          </web-resource-collection>
          <auth-constraint/>
     </security-constraint>

            • Actions
          • 2. Re: How to forbid any user to directly ping xhtml file?
            titou09
            titou09 May 26, 2009 11:07 PM (in response to titou09)

            This does not work because



            • the user need to be loggued for this to work. There must be a security context to trigger the security-constraint rules  (At least in websphere). Not all of our pages requires to be loggued.

            • with this, when the user is loggued and try to ping directly an xhtml page, he will receive a 403-not authorized response instead of a 404-not-found page as it should.

              • Actions
            • 3. Re: How to forbid any user to directly ping xhtml file?
              luxspes May 27, 2009 1:06 AM (in response to titou09)

              AFAIK this is already handled in  the web.xml generated by default by seam-gen:


              <security-constraint>
  <display-name>Restrict raw XHTML Documents</display-name>
  <web-resource-collection>
   <web-resource-name>XHTML</web-resource-name>
   <url-pattern>*.xhtml</url-pattern>
  </web-resource-collection>
  <auth-constraint/>
 </security-constraint>

                • Actions
              • 4. Re: How to forbid any user to directly ping xhtml file?
                niox.nikospara.yahoo.com
                niox.nikospara.yahoo.com May 27, 2009 11:05 AM (in response to titou09)

                Websphere :(


                The <security-constraint> works on JBoss.


                Anyway, why don't you try a simple servlet, mapped to *.xhtml that always responds with response.sendError(HttpServletResponse.SC_NOT_FOUND).

                  • Actions
                • 5. Re: How to forbid any user to directly ping xhtml file?
                  luxspes May 27, 2009 3:03 PM (in response to titou09)

                  It works in tomcat for me... and this is not JBoss specific, it works in Tomcat, and in Glassfish, and in WebLogic...

                    • Actions
                  • 6. Re: How to forbid any user to directly ping xhtml file?
                    titou09
                    titou09 May 28, 2009 12:48 AM (in response to titou09)

                    I've declared a filter assigned to the *.xhtml uri, before the seam filter. This filter just redirect the user to the 404 page not found error page


                    I'm curious to know how tomcat is redirecting the user to the 404 page not found error page and not to the 403 not authorized page in this case...
                    Is there a tomcat configuration elsewhere to specify where to redirect the user in this case?

                      • Actions