Re: [Shale] where to put the jsp pages and shale-blank app
Thanks for the information on disallowing direct access via chain-config! I couldn't find any exceptions that were thrown while trying to access WEB-INF$pages$welcome. Craig McClanahan wrote: I suspect an exception (due to not being able to directly access things under /WEB-INF) is getting swallowed somewhere ... were there any exceptions in the server logs? If not, I'll need to investigate why this scenario is not being reported correctly. One way to protect against direct access to JSP pages is to define a security-constraint element that protects them. Another is to use Shale's filtering capabilities. There is an example of this in the /WEB-INF/chain- config.xml file of the Shale Use Cases example app. Note the section that starts with the comment Disallow direct access to JSP and JSF resources. If you set up something like this inside the preprocess command of your own chain-config.xml file, Shale will disallow access to any resource whose context-relative path matches one of the specified regular expressions. Craig Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[Shale] where to put the jsp pages and shale-blank app
I have been playing with the shale-blank app and I have a problem.
How do you deal with putting your jsp pages under WEB-INF ie in
WEB-INF/pages?
(presumably this is a more secure place to put your jsp pages)
Everything works fine if I move the welcome.jsp into pages/welcome.jsp
at the web app level
and define the managed bean as:
managed-bean
managed-bean-namepages$welcome/managed-bean-name
managed-bean-classorg.apache.shale.blank.WelcomeBean/managed-bean-class
managed-bean-scoperequest/managed-bean-scope
/managed-bean
When I move welcome.jsp to WEB-INF/pages and define the managed bean as
managed-bean
managed-bean-nameWEB-INF$pages$welcome/managed-bean-name
managed-bean-classorg.apache.shale.blank.WelcomeBean/managed-bean-class
managed-bean-scoperequest/managed-bean-scope
/managed-bean
and change the index.jsp to
jsp:forward page=/WEB-INF/pages/welcome.faces/
and outputing in welcome.jsp with
h:outputText value=#{WEB-INF$pages$welcome.timestamp} ...
I get The current date and time is: Dec 31, 1969 7:00:00 PM EST
if I look at the attributes in requestScope I see
WEB-INF$pages$welcomeWed Mar 22 14:52:01 EST 2006
Which is what it should be.
What am I missing? Why isn't the page picking up the correct timestamp from
the welcome bean?
--
Mark Shifman
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [Shale] where to put the jsp pages and shale-blank app
On 3/22/06, Mark Shifman [EMAIL PROTECTED] wrote:
I have been playing with the shale-blank app and I have a problem.
How do you deal with putting your jsp pages under WEB-INF ie in
WEB-INF/pages?
(presumably this is a more secure place to put your jsp pages)
JSF (and therefore Shale) do not like serving pages from underneath
/WEB-INF, if you are concerned about protecting direct access to them, a
different strategy will be needed.
Everything works fine if I move the welcome.jsp into pages/welcome.jsp
at the web app level
and define the managed bean as:
managed-bean
managed-bean-namepages$welcome/managed-bean-name
managed-bean-classorg.apache.shale.blank.WelcomeBean
/managed-bean-class
managed-bean-scoperequest/managed-bean-scope
/managed-bean
When I move welcome.jsp to WEB-INF/pages and define the managed bean as
managed-bean
managed-bean-nameWEB-INF$pages$welcome/managed-bean-name
managed-bean-classorg.apache.shale.blank.WelcomeBean
/managed-bean-class
managed-bean-scoperequest/managed-bean-scope
/managed-bean
and change the index.jsp to
jsp:forward page=/WEB-INF/pages/welcome.faces/
and outputing in welcome.jsp with
h:outputText value=#{WEB-INF$pages$welcome.timestamp} ...
I get The current date and time is: Dec 31, 1969 7:00:00 PM EST
if I look at the attributes in requestScope I see
WEB-INF$pages$welcomeWed Mar 22 14:52:01 EST 2006
Which is what it should be.
What am I missing? Why isn't the page picking up the correct timestamp
from
the welcome bean?
I suspect an exception (due to not being able to directly access things
under /WEB-INF) is getting swallowed somewhere ... were there any exceptions
in the server logs? If not, I'll need to investigate why this scenario is
not being reported correctly.
One way to protect against direct access to JSP pages is to define a
security-constraint element that protects them. Another is to use Shale's
filtering capabilities. There is an example of this in the /WEB-INF/chain-
config.xml file of the Shale Use Cases example app. Note the section that
starts with the comment Disallow direct access to JSP and JSF resources.
If you set up something like this inside the preprocess command of your
own chain-config.xml file, Shale will disallow access to any resource whose
context-relative path matches one of the specified regular expressions.
--
Mark Shifman
Craig
Re: [Shale] where to put the jsp pages and shale-blank app
Craig McClanahan wrote: JSF (and therefore Shale) do not like serving pages from underneath /WEB-INF, if you are concerned about protecting direct access to them, a different strategy will be needed. Just out of curiosity, why is that, as hiding stuff under WEB-INF has been a fairly well-used strategy for some time. Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [Shale] where to put the jsp pages and shale-blank app
On 3/22/06, Dave Newton [EMAIL PROTECTED] wrote: Craig McClanahan wrote: JSF (and therefore Shale) do not like serving pages from underneath /WEB-INF, if you are concerned about protecting direct access to them, a different strategy will be needed. Just out of curiosity, why is that, as hiding stuff under WEB-INF has been a fairly well-used strategy for some time. Two issues: * The strategy has always been a hack, relying on the inconsistency that /WEB-INF prohibitions are applied on the initial request, but not on RequestDispatcher.forward(). The more correct method to do this has always been to declare a security constraint but not define any roles that are allowed in ... the Tomcat example apps show you how to do this (or at least they used to), without having to muck around with the directory organization of your app. * In a JSF-based application, the URLs that forms are submitted to are based on the location of the page ... they would look something like: /contextPath/WEB-INF/pages/mypage.jsf if you are using *.jsf mapping for FacesServlet. This gets intercepted by FacesServlet, and (if the same page is redisplayed) results in a forward to /WEB-INF/pages/mypage.jsp to do the actual rendering. Because of the inconsistency mentioned above, the second step would actually work, but the first won't. It would have the effect of prohibiting all submits for your forms. Dave Craig
Re: [Shale] where to put the jsp pages and shale-blank app
Craig McClanahan wrote: It would have the effect of prohibiting all submits for your forms. That would certainly make form processing easier... Thanks for the info! Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
