5 Replies Latest reply on Sep 21, 2006 2:34 AM by cptnkirk

    Blocking direct access to .xhtml files

    Daniel Young Novice

      Hi all,

      I've noticed in my own app and in the booking example that if you know the name of the underlying .xhtml files, you can hit them directly in your browser and download the source.

      eg: http://localhost:8080/seam-booking/home.xhtml

      What is the recommended way of blocking this so that only .seam actions are handled? Should I have a servlet mapping for *.xhtml that returns a 404, or will this interfere with the workings of Seam?

      I think it's a bit of a hole in a webapp to have the template files directly accessible like this.


        • 1. Re: Blocking direct access to .xhtml files
          Raja Master

          Well, its just behaving as a WebServer. Can you locate your xhtml files within the WEB-INF so they cant be rendered directly and have your navigation rules point to the locations within WEB-INF?

          Also look at the dvdstore example for some snippets that are loaded from the WEB-INF directory.

          • 2. Re: Blocking direct access to .xhtml files
            Daniel Young Novice

            I realise it's just serving up the files, but this never happens with things like JSPs, because the server would intercept those requests and run the servlet that it has compiled from the JSP instead.

            You don't have to put your JSPs under WEB-INF, what a kludge that would be!

            I think Seam by default should be configured to not allow direct access to your xhtml facelet code. Does anybody agree, or have I got something wrong?

            • 3. Re: Blocking direct access to .xhtml files

              Writing a filter that blocks direct .xhtml access shouldn't be too hard. I wouldn't expect facelets to perform a web request to access the .xhtml files, so you should be able to 404 any direct HTTP access.

              I'm not 100%, but this should be easy enough to test. Either just write the filter, or look at the HTTP request log during expected usage. Even if facelets makes a web request for some reason, it should come from localhost or your local IP. You can adjust your filter to permit that access.

              • 4. Re: Blocking direct access to .xhtml files
                Daniel Young Novice

                Thanks CptnKirk, I'll give it a go and post the results. This is the direction I was headed in, but wanted a sanity check to see if anybody else has dealt with this some other way, or if anybody else even sees it as an issue.


                • 5. Re: Blocking direct access to .xhtml files

                  You could also try setting your Faces Servlet to match on *.xhtml instead of *.seam. I'm not sure if that causes a problem or not. I wish I were closer to a dev environment. These are all quick tests.

                  For some reason I thought that facelets was still like JSP in that if you screw up and don't go through the JSF servlet things will crash. Not pretty, but secure. I also tend to use a JSP 2.0 jspx like syntax with my facelet pages to get tag JSF completion. That also helps things explode rather than render if someone attempts to access the .jspx file directly.

                  Let me know what you find. If nothing works, I should be more helpful tomorrow.