Re: [Shale] where to put the jsp pages and shale-blank app

Wed, 22 Mar 2006 17:54:01 -0800 

On 3/22/06, Mark Shifman <[EMAIL PROTECTED]> wrote:
>
> I have been playing with the shale-blank app and I have a problem.
>
> How do you deal with putting your jsp pages under WEB-INF ie in
> WEB-INF/pages?
> (presumably this is a more secure place to put your jsp pages)


JSF (and therefore Shale) do not like serving pages from underneath
/WEB-INF, if you are concerned about protecting direct access to them, a
different strategy will be needed.

Everything works fine if I move the welcome.jsp into pages/welcome.jsp
> at the web app level
> and define the managed bean as:
> <managed-bean>
>     <managed-bean-name>pages$welcome</managed-bean-name>
>
> <managed-bean-class>org.apache.shale.blank.WelcomeBean
> </managed-bean-class>
>     <managed-bean-scope>request</managed-bean-scope>
>   </managed-bean>
>
> When I move welcome.jsp to WEB-INF/pages and define the managed bean as
>   <managed-bean>
>     <managed-bean-name>WEB-INF$pages$welcome</managed-bean-name>
>
> <managed-bean-class>org.apache.shale.blank.WelcomeBean
> </managed-bean-class>
>     <managed-bean-scope>request</managed-bean-scope>
>   </managed-bean>
>
> and change the index.jsp to
> <jsp:forward page="/WEB-INF/pages/welcome.faces"/>
>
> and outputing in welcome.jsp with
> <h:outputText value="#{WEB-INF$pages$welcome.timestamp}" >...
>
> I get The current date and time is: Dec 31, 1969 7:00:00 PM EST
>
> if I look at the attributes in requestScope I see
> WEB-INF$pages$welcomeWed Mar 22 14:52:01 EST 2006
> Which is what it should be.
>
> What am I missing?  Why isn't the page picking up the correct timestamp
> from
> the welcome bean?


I suspect an exception (due to not being able to directly access things
under /WEB-INF) is getting swallowed somewhere ... were there any exceptions
in the server logs?  If not, I'll need to investigate why this scenario is
not being reported correctly.

One way to protect against direct access to JSP pages is to define a
<security-constraint> element that protects them.  Another is to use Shale's
filtering capabilities.  There is an example of this in the /WEB-INF/chain-
config.xml file of the Shale Use Cases example app.  Note the section that
starts with the comment "Disallow direct access to JSP and JSF resources".
If you set up something like this inside the "preprocess" command of your
own chain-config.xml file, Shale will disallow access to any resource whose
context-relative path matches one of the specified regular expressions.

--
> Mark Shifman


Craig

Reply via email to