Inform about exposed view source when using prefix mapping

[eclipse-faces-bot]

Trigger: http://stackoverflow.com/questions/6341361/jsf-url-mapping-security-risk

Summary: When prefix mapping is used, the view source is publicity avaliable to enduser by just removing the prefix mapping pattern from the request URL. This can cause privacy issues and in opinion of some even a security issue. This should more clearly be adressed in the specification.

Affected Versions

[2.1]

[eclipse-faces-bot]

@glassfishrobot Commented
Reported by @BalusC

[eclipse-faces-bot]

@glassfishrobot Commented
Issue-Links:
is related to
JAVASERVERFACES_SPEC_PUBLIC-915

[eclipse-faces-bot]

@glassfishrobot Commented
jakobkorherr said:
Possible workaround: use a filter that prohibits access to everything not containing the prefix mapping of the FacesServlet!

[eclipse-faces-bot]

@glassfishrobot Commented
@BalusC said:
@jakob: this is pretty poor. How about static resources like JS/CSS/images and plain HTML files?

The common approach to prevent direct access to source files when prefix mapping is used is to put a security constraint on the JSF default view extension:

    Restrict direct access to XHTML files             XHTML files         *.xhtml        

An alternative approach is to use extension mapping of *.xhtml instead. The only disadvantage is that you cannot serve "plain" XHTML files anymore without invoking the FacesServlet. But IMO this is not a disadvantage as those kind of files should have the *.html extension.

[eclipse-faces-bot]

@glassfishrobot Commented
jakobkorherr said:
hehe - yep, I know it's pretty poor, but it was the first thing that popped into my mind!

How about static resources like JS/CSS/images and plain HTML files?

Well, since JSF 2 you should serve these with the JSF resource handler anyway!

However, using a security contraint is better, and of course, using *.xhtml is the best!

[eclipse-faces-bot]

@glassfishrobot Commented
File: FacesServlet.html
Attached By: @edburns

[eclipse-faces-bot]

@glassfishrobot Commented
@edburns said:
Generated documentation. Will be color coded.

[eclipse-faces-bot]

@glassfishrobot Commented
@edburns said:
Sending jsf-api/src/main/java/javax/faces/webapp/FacesServlet.java
Sending jsf-api/src/main/java/javax/faces/webapp/package.html
Transmitting file data ..
Committed revision 9164.

[eclipse-faces-bot]

@glassfishrobot Commented
Marked as fixed on Tuesday, June 14th 2011, 4:33:01 am

[eclipse-faces-bot]

@glassfishrobot Commented
@BalusC said:
Great! By the way, I start to realize that the issue is not related to prefix patterns per se. The same issue would expose when you're using a suffix pattern such as *.faces and replace the extension in request URL by *.xhtml.

[eclipse-faces-bot]

@glassfishrobot Commented
jakobkorherr said:
hehehe. you're right. did not think of that!

[eclipse-faces-bot]

@glassfishrobot Commented
@arjantijms said:

The only disadvantage is that you cannot serve "plain" XHTML files anymore without invoking the FacesServlet. But IMO this is not a disadvantage as those kind of files should have the *.html extension.

Following that logic, I wonder what the opinions are on adding *.xhtml to the default servlet mapping? This will instantly solve the problem with exposing the source code and as an extra benefit I think *.xhtml to *.xhtml will be easier to understand for those new to JSF.

[eclipse-faces-bot]

@glassfishrobot Commented
@manfredriem said:
Closing resolved issue out

[eclipse-faces-bot]

@glassfishrobot Commented
This issue was imported from java.net JIRA JAVASERVERFACES_SPEC_PUBLIC-1015

[eclipse-faces-bot]

• Issue Imported From: Inform about exposed view source when using prefix mapping javaee/javaserverfaces-spec#1015
• Original Issue Raised By:@glassfishrobot
• Original Issue Assigned To: @edburns
• Original Issue Closed By:@glassfishrobot