On 3/22/06, Dave Newton <[EMAIL PROTECTED]> wrote:
>
> Craig McClanahan wrote:
> > JSF (and therefore Shale) do not like serving pages from underneath
> > /WEB-INF, if you are concerned about protecting direct access to them, a
> > different strategy will be needed.
> >
>
> Just out of curiosity, why is that, as hiding stuff under WEB-INF has
> been a fairly well-used strategy for some time.
Two issues:
* The strategy has always been a hack, relying on the inconsistency that
/WEB-INF prohibitions are applied on the initial request, but not
on RequestDispatcher.forward(). The more "correct" method to do this
has always been to declare a security constraint but not define any
roles that are allowed in ... the Tomcat example apps show you how
to do this (or at least they used to), without having to muck around with
the directory organization of your app.
* In a JSF-based application, the URLs that forms are submitted to are
based on the location of the page ... they would look something like:
/contextPath/WEB-INF/pages/mypage.jsf
if you are using *.jsf mapping for FacesServlet. This gets intercepted
by FacesServlet, and (if the same page is redisplayed) results in a
forward to "/WEB-INF/pages/mypage.jsp" to do the actual rendering.
Because of the inconsistency mentioned above, the second step would
actually work, but the first won't. It would have the effect of
prohibiting
all submits for your forms.
Dave
Craig
