securityjsfjsf-2composite-componentweb-inf

Prevent direct access to composite components by placing them inside /WEB-INF


I'm trying to define some composite components in my web application. According to the tutorials i read, i have to place the xhtml files inside a resource folder located in webcontent. This solution is problematic, given that it would make those files available for public access from an url. Is there a way to put this components inside the web-inf folder, and make the jsf look for the files there? If not, is there another way to avoid direct access?

Thanks.

P.S.: I have looked into this answer, and if i understood BalusC's answer correctly, what I intend to do is possible.


Solution

  • "Composite components" are not exactly the same as "compositions" in the question/answer you found. The OP was clearly talking about compositions as in <ui:include> files which are including <ui:componsition> content.

    You effectively want to prevent direct access to /resources. This can be achieved by adding the following security constraint entry to web.xml:

    <security-constraint>
        <display-name>Restrict direct access to JSF resources</display-name>
        <web-resource-collection>
            <web-resource-name>JSF resources</web-resource-name>
            <url-pattern>/resources/*</url-pattern>
        </web-resource-collection>
        <auth-constraint /><!-- Empty auth constraint! -->
    </security-constraint> 
    

    As per the upcoming JSF 2.2, this would not be necessary anymore as it allows you to move the whole /resources folder into /WEB-INF by the following configuration entry in web.xml:

    <context-param>
        <param-name>javax.faces.WEBAPP_RESOURCES_DIRECTORY</param-name>
        <param-value>WEB-INF/resources</param-value> 
    </context-param>