search

neharob / prettyfaces

Automatically exported from code.google.com/p/prettyfaces
0 stars 0 forks source link

Deny unmanaged access to views #116

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
I would like to see a feature with which a specific pattern can be defined to 
deny direct access to views.
I think many people are missing something like:

<denyDirectResourceAccess pattern="/admin.*"/>

This feature would have the effect, that only url mappings which are declared 
in the configuration(for paths starting with /admin) are accessible.

Here are an example config:
<denyDirectResourceAccess pattern="/admin.*"/>

    <url-mapping id="admin"> 
        <pattern value="/admin/" /> 
        <view-id>#{userBean.getAdminViewPathIfAuthorized}</view-id>
    </url-mapping> 
    <url-mapping id="menu" parentId="admin"> 
        <pattern value="#{[^.] navigationBean.entryName}/" /> 
        <view-id>#{userSessionBean.getAdminViewPathIfAuthorized}</view-id>
        <action>#{navigationBean.getViewPath}</action>
    </url-mapping>

GET /admin/ => mappingId="admin" => return content of the view returned by 
userBean.getAdminViewPathIfAuthorized
GET /admin/index.xhtml => mappingId=null => 404 Error
GET /admin/test/ => mappingId="menu" => return content of the view returned by 
navigationBean.getViewPath or userSessionBean.getAdminViewPathIfAuthorized if 
the navigationBean.getViewPath returns null.

At the moment there is no pretty faces solution for this problem. Mainly it is 
necessary to offer a simple way for devs to deny direct access, so that only 
declared url mappings are processed and for the other requests it would 
probably be the best to just return 404 error.

Original issue reported on code.google.com by christia...@gmail.com on 1 Aug 2011 at 10:43

GoogleCodeExporter commented 9 years ago 
We don't recommend doing this with prettyfaces yet, but if you really want to, 
I'd suggest using a rewrite rule and custom processor:

http://ocpsoft.com/docs/prettyfaces/3.3.0/en-US/html/inbound_rewriting.html#inbo
und_rewriting.options

(The API has changed slightly, but you can see the interface if you implement 
Processor in your IDE)

Original comment by lincolnb...@gmail.com on 2 Aug 2011 at 12:41

GoogleCodeExporter commented 9 years ago 
This is being addressed via OCPSoft Rewrite - a new URL-rewriting tool. Since 
PrettyFaces 4 will be an extension of Rewrite, it will also have that 
capability.

So, until then. Use the custom processor - it will allow you to do what you 
want, but you could also use rewrite to do this: See here: 

http://stackoverflow.com/questions/6924105/jsf-and-prettyfaces-how-to-restrict-d
irect-xhtml-requests/6933010#6933010

package com.example;
public class ExampleConfigurationProvider extends HttpConfigurationProvider
{

   @Override
   public int priority()
   {
     return 10;
   }

   @Override
   public Configuration getConfiguration(final ServletContext context)
   {
     return ConfigurationBuilder.begin()
       .defineRule()
         .when(Direction.isInbound().and(DispatchType.isRequest()).and(Path.matches(".*\\.xhtml")).andNot(Path.matches(".*javax.faces.resource.*")))
         .perform(SendStatus.code(404));
    }
}

This Rewrite rule will block access to inbound HTTP requests on .XHTML files, 
while still allowing forwarded, or error, or async requests. It will also leave 
the JSF2 resources API in a functional state, which is not the case if you use 
the Java EE Security Constraint as suggested in another answer.

Original comment by lincolnb...@gmail.com on 4 Aug 2011 at 3:06