New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inform about exposed view source when using prefix mapping #1015
Comments
@glassfishrobot Commented |
@glassfishrobot Commented |
@glassfishrobot Commented |
@glassfishrobot Commented The common approach to prevent direct access to source files when prefix mapping is used is to put a security constraint on the JSF default view extension: Restrict direct access to XHTML files XHTML files *.xhtmlAn alternative approach is to use extension mapping of *.xhtml instead. The only disadvantage is that you cannot serve "plain" XHTML files anymore without invoking the FacesServlet. But IMO this is not a disadvantage as those kind of files should have the *.html extension. |
@glassfishrobot Commented
Well, since JSF 2 you should serve these with the JSF resource handler anyway! However, using a security contraint is better, and of course, using *.xhtml is the best! |
@glassfishrobot Commented |
@glassfishrobot Commented |
@glassfishrobot Commented |
@glassfishrobot Commented |
@glassfishrobot Commented |
@glassfishrobot Commented |
@glassfishrobot Commented
Following that logic, I wonder what the opinions are on adding *.xhtml to the default servlet mapping? This will instantly solve the problem with exposing the source code and as an extra benefit I think *.xhtml to *.xhtml will be easier to understand for those new to JSF. |
@glassfishrobot Commented |
@glassfishrobot Commented |
|
Trigger: http://stackoverflow.com/questions/6341361/jsf-url-mapping-security-risk
Summary: When prefix mapping is used, the view source is publicity avaliable to enduser by just removing the prefix mapping pattern from the request URL. This can cause privacy issues and in opinion of some even a security issue. This should more clearly be adressed in the specification.
Affected Versions
[2.1]
The text was updated successfully, but these errors were encountered: