I'm new to Icefaces and Facelets both, but I'm using them on a new project. I've got everything working configured and working fine. However, when I visit mywebapp/file.xhtml, the entire facelets template source comes up in my browser. How could I hide this to prevent users from viewing my server-side templates?
Asked
Active
Viewed 2,397 times
2 Answers
4
Put all templates into WEB-INF/someDirectory/templates.
Then according to the facelets documentation put this inside your web.xml for all other xhtml files:
<security-constraint>
<display-name>Restrict XHTML Documents</display-name>
<web-resource-collection>
<web-resource-name>XHTML</web-resource-name>
<url-pattern>*.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Only Let 'developer's access XHTML pages</description>
<role-name>someone</role-name>
</auth-constraint>
</security-constraint>
Steel Plume
- 2,260
- 3
- 26
- 35
1
In the web.xml should be an entry which let you configure the behaviour of xhtml templates (show/hide..)
If you move the .jsp files to the WEB-INF folder (you have to reconfigure the jsp path for JSF), you can't access them by URL. Every J2EE-Server/Webcontainer I know act this way.
Another way is an self written servlet filter etc.
But, why do you want to hide your templates?
Martin K.
- 4,669
- 7
- 35
- 49
-
I'm surprised templates aren't hidden by default. Templates expose internals of your application and leaking them can be a security hazard. – Haakon Feb 19 '11 at 22:12
-
Instead of asking why hide the templates I'd ask why expose them? Why should we show our website's template layout to the world? – arg20 Mar 11 '13 at 12:24