Home/ Questions/Q 8947461
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T12:46:02+00:00

I am using JSF2.1 and Glassfish 3.1.2. I specify a security constraint to block

  • 0

I am using JSF2.1 and Glassfish 3.1.2.

I specify a security constraint to block everything:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Secured Content</web-resource-name>
        <!-- Block all -->
        <url-pattern>/*</url-pattern>
    </web-resource-collection>

    <!-- only users with at least one of these roles are allowed to access the secured content -->
    <auth-constraint>
        <role-name>ADMINISTRATOR</role-name>
    </auth-constraint>
</security-constraint>

and have another to allow access a subset of pages and the resources:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Open Content</web-resource-name>
        <!-- Allow subscribe -->
        <url-pattern>/subscribe/*</url-pattern>
        <url-pattern>/javax.faces.resource/*</url-pattern>
    </web-resource-collection>
    <!-- No Auth Contraint! -->
</security-constraint>

This works fine. However, is the following 

<url-pattern>/javax.faces.resource/*</url-pattern>

the correct way to allow all resources?

I only did this by looking at the url that Facelets injects into the xhtml. Is there security holes with this approach?

Thanks.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It has to be the value of ResourceHandler#RESOURCE_IDENTIFIER constant. See also its javadoc:

    RESOURCE_IDENTIFIER

    public static final java.lang.String RESOURCE_IDENTIFIER

    Resource#getRequestPath returns the value of this constant as the prefix of the URI. handleResourceRequest(javax.faces.context.FacesContext) looks for the value of this constant within the request URI to determine if the request is a resource request or a view request.

    See Also:

    Constant Field Values

    The constant field values says the following:

    public static final java.lang.String    RESOURCE_IDENTIFIER    "/javax.faces.resource"

    So, you’re absolutely correct as to the URL pattern. There are no security holes, provided that you don’t put sensitive information in /resources folder of the public webcontent which is handled by the JSF resource handler.

    • 0