I am new to JSF and writing first simply jsf web app.
URL with .jsf are mapping to .xhtml files in WebContent but why I can open .xhtml in web browser with all jsf tags. How to protect this?
You could add a security constraint to your web.xml blocking all requests to *.xhtml.
<security-constraint>
<display-name>Restrict raw XHTML Documents</display-name>
<web-resource-collection>
<web-resource-name>XHTML</web-resource-name>
<url-pattern>*.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
Apart from defining a <security-constraint> to block direct access to .xhtml files as correctly answered by Stacker on this question, you could also just change the <url-pattern> of the FacesServlet mapping from *.jsf to *.xhtml.
<servlet>
<servlet-name>facesServlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>facesServlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
In JSF 1.x this used to end up in an infinite loop, but in JSF 2.x not anymore. So you could just call/link all pages as .xhtml without fiddling with different extensions. The only disadvantage is that you won't be able to display a "plain" XHTML file without invoking the FacesServlet, but such a page should be named .html anyway :)
On GAE you need two things:
edit web.xml as described above
add in appengine-web.xml
<static-files>
<exclude path="/**.xhtml" />
</static-files>`
You can use a servlet filter
#WebFilter(filterName = "XhtmlFilter", urlPatterns = { "*.xhtml" })
public class XhtmlFilter implements Filter {
#Override
public void init(FilterConfig filterConfig) throws ServletException {
}
#Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
((HttpServletResponse) response).sendError(404);
chain.doFilter(request, response);
}
#Override
public void destroy() {
}
}
as far as i experienced it, the answer of mk761203 is definitely helpful when setting up a project for google app engine and server faces. without the exclusion of this files, the GAE automatically interpets the files with the .xhtml extension as static files which get served by dedicated servers from googles server farm. read more here: https://developers.google.com/appengine/docs/java/config/appconfig#Static_Files_and_Resource_Files
Related
we know how to set url pattern for servlet but I am unable to set url pattern for html in web.xml, can u help me to find solution, I googled but, can't able to get it, please find below for my problem.
<servlet>
<servlet-name>Login</servlet-name>
<servlet-class>auth.Login</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Login</servlet-name>
<url-pattern>/login</url-pattern>
</servlet-mapping>
in above code I am setting url pattern for **Login** servlet class in web.xml, like wise can I able to set url pattern for html file in web.xml
pls help to find solution thank you in advance
If you want to protect *.html files from direct access (by placing *.html files under WEB-INF) you can use a Servlet which would be only responsible for forwarding all such requests to intended html files.
<servlet>
<servlet-name>HTMLServlet</servlet-name>
<servlet-class>my.package.HTMLServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>HTMLServlet</servlet-name>
<url-pattern>/somepath/*.html</url-pattern>
</servlet-mapping>
Code in servlet class may look like this
...
protected void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
String requestedPath = //... code for getting requested HTML path
request.getRequestDispatcher(requestedPath).forward(request, response);
}
...
If you don't mind to change your HTML page to JSP you can set url pattern for it like this:
<servlet>
<servlet-name>Error</servlet-name>
<jsp-file>/pages/error.jsp</jsp-file>
</servlet>
<servlet-mapping>
<servlet-name>Error</servlet-name>
<url-pattern>/error</url-pattern>
</servlet-mapping>
URL pattern are for servlet and filters.
For servlet
<servlet-mapping>
<servlet-name>Servlet-name</servlet-name>
<url-pattern>/< Pattern ></url-pattern>
</servlet-mapping>
For Filter
<filter-mapping>
<filter-name>Filter-Name</filter-name>
<url-pattern>/< Pattern ></url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
Those are not for Html file.
Infact there are no pattern configuration for JSPs too.
I am using Jetty. My default servlet is making a simple forward to an HTML file in my WEB-INF folder that is causing a java.lang.StackOverFlowError error. The error is fixed if I rename the file I am forwarding from a .html to .jsp
DefaultServlet.java
public class DefaultServlet extends HttpServlet{
#Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException{
req.getRequestDispatcher("WEB-INF/home.html").forward(req, resp);
}
}
web.xml
<web-app>
<display-name>Archetype Created Web Application</display-name>
<servlet>
<servlet-name>Default</servlet-name>
<servlet-class>DefaultServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Default</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
My guess is that instead of inserting the html content in the response body, the forward is sending the browser a redirect to /WEB-INF/home.html. This again calls the DefaultServlet and gets into an infinity loop. How can I prevent this?
Thanks.
The "default servlet", which is mapped on a special URL pattern of /, is a very special servlet which is invoked when there's a request which does not match any of the servlets mapped on a more specific URL pattern such as *.jsp, /foo/*, etc.
When you forward to home.html, for which apparently no one servlet is registered, then the default servlet is invoked once again. However, the default servlet is ignorantly forwarding to the very same HTML file once again instead of actually serving the requested HTML file. It'll on the forward still find no one servlet matching the forward URL and it'll still invoke the default servlet once again. And again. Etc. When this is performed so many times that the stack cannot keep track anymore of all those in sequence invoked doGet() methods (usually around 1000), then you'll get a StackOverflowError.
That it works with a JSP file has actually a very simple reason: there's already a JspServlet registered on an URL pattern of *.jsp. So the badly designed default servlet isn't invoked.
Your default servlet should instead be obtaining the HTML file's contents via ServletContext#getResourceAsStream() and write it to the HttpServletResponse#getOutputStream().
However, it's also quite possible that you completely misunderstood the whole meaning of "default servlet" and/or the special meaning of the URL pattern / and actually merely want a servlet acting as home page. In that case, you should be mapping the servlet on a more specific URL pattern (and please rename the currently obviously quite confusing class name DefaultServlet to something else):
<servlet>
<servlet-name>home</servlet-name>
<servlet-class>com.example.HomeServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>home</servlet-name>
<url-pattern>/home</url-pattern>
</servlet-mapping>
And then register exactly that URL as welcome file:
<welcome-file-list>
<welcome-file>home</welcome-file>
</welcome-file-list>
You need kind of exclude urls ends with "html".
See for example this link explaining similar problem solution Can I exclude some concrete urls from <url-pattern> inside <filter-mapping>?
I have both .htm and .xml URLs that I want to be resolved as .jsp files in my WEB-INF folder. How do I specify that I want the same servlet to handle both *.htm and *.xml URLs?
Adding multiple url-pattern tags in the same mapping works for me using Spring 3.0
<servlet-mapping>
<servlet-name>dispatcherServlet</servlet-name>
<url-pattern>/<url-pattern>
<url-pattern>*.htm</url-pattern>
<url-pattern>*.html</url-pattern>
<url-pattern>*.xml</url-pattern>
</servlet-mapping>
In regards to making your controllers resolve them to the view objects (.jsp) that you desire you can do so using controllers that extend a controller class and follow a specific naming convention or you can use annotation driven controllers. Below is an example of annotation driven controller.
#Controller
public class Controller {
#RequestMapping(value={"/","/index","/index.htm","index.html"})
public ModelAndView indexHtml() {
// RETURN VIEW (JSP) FOR HTM FILE
}
#RequestMapping(value="/index.xml")
public ModelAndView indexXML() {
// RETURN VIEW (JSP) FOR XML FILE
}
}
Yes, you can very well do that.
<servlet-mapping>
<servlet-name>dispatcherServlet</servlet-name>
<url-pattern>*.htm</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>dispatcherServlet</servlet-name>
<url-pattern>*.xml</url-pattern>
</servlet-mapping>
I assume you are talking about the <servlet-mapping> element in your "web.xml" file.
The answer is that you can (sort of) by using two <servlet-mapping> elements with different patterns for the same <servlet> element.
Note that is a feature of the Java EE Servlet specification. The associated request dispatching happens before Spring gets a look at the requests.
I've read several docs and I don't get it: I know I'm doing something wrong but I don't understand what. I've got a website that is entirely dynamically generated: there's hardly any static content at all.
So, trying to understand JSP/Servlet, I've written my own "front controller" intercepting every single query, it looks like this:
<servlet-mapping>
<servlet-name>defaultservlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
Basically I want any user request, like:
example.org
example.org/bar
example.org/foo.html
to all go through a default servlet which I've written.
The servlet then examines the URI and find to which .jsp the request must be dispatched, and then does, after having set all the attributes correctly, a:
RequestDispatcher dispatcher = getServletContext().getRequestDispatcher("/WEB-INF/jsp/index.jsp");
dispatcher.forward(req, resp);
When I'm using a url-pattern (in web.xml) like, say, *.html, everything works fine. But when I change it to /* (to really intercept everything), I enter an endless loop and it ends up with a... StackOverflow :)
When the request is dispatched, is the URI ".../WEB-INF/jsp/index.jsp" itself matched by the web.xml filter /* that I set?
EDIT apparently, no, because this is an exact mapping to index.jsp and hence it bypasses the web.xml url-pattern. So I still don't get how I can enter that endless loop.
How should I do if I want to intercept everything using a /* url-pattern and yet be able to dispatch/forward/?
I'm not asking about specs/Javadocs here: I'm really confused about the bigger picture and I'd need some explanation as to what could be going on.
Am I not supposed to intercept really everything?
If I can intercept everything, what should I be aware of regarding forwarding/dispatching?
Unfortunately, Serlvet spec doesn't allow to create a servlet mapping to match only incoming request, not forwards. However, this can be done for filter mappings (and by default filter mappings match only incoming requests).
So, the typical solution for intercepting everything with a single servlet is to use a UrlRewriteFilter:
<filter>
<filter-name>urlRewrite</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>urlRewrite</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>application</servlet-name>
<servlet-class>...</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>application</servlet-name>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
/WEB-INF/urlrewrite.xml:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE urlrewrite
PUBLIC "-//tuckey.org//DTD UrlRewrite 3.0//EN"
"http://tuckey.org/res/dtds/urlrewrite3.0.dtd">
<urlrewrite default-match-type="wildcard">
<rule>
<from>/**</from>
<to>/app/$1</to>
</rule>
<outbound-rule>
<from>/app/**</from>
<to>/$1</to>
</outbound-rule>
</urlrewrite>
This way also allows you to specify exceptions from /* mapping for static files.
Try using struts in which front controller pattern is inbuilt. There you will have a action class and you can define forwards in struts-config file using which you can easily manage the forwards.
Go through the tutorial http://www.roseindia.net/struts/struts2/index.shtml. Hope this helps you.
I am fairly new to Servlet Filters and have basically joined a project using them and added an additional filter to the web.xml file (deployed on Tomcat 5.5).
I am 95% sure that at some point it was working correctly but now when debugging if I put breakpoints at the top of the JSP page I am trying to view (login.jsp), it's template page (page.jsp) and within both of the configured filter's doFilter() method; it runs through the whole of the login.jsp page (top to bottom), then page.jsp and the starts processing the filters.
I need it to run the filters first, since one of them determines the language the page should be displayed in (checking cookies, db settings and browser settings) which should then apply to the login.jsp.
Has anyone got any suggestions as to what might be going wrong?
There is a lot of code I could be posting but am not convinced that would be of any use since it's all working just in the wrong order.
Snippets from the web.xml:
<web-app>
...
<filter>
<filter-name>SetSecurityContextFilter</filter-name>
<filter-class>
com.section2.SecurityContextServletFilter
</filter-class>
</filter>
<filter>
<filter-name>SetLocaleFilter</filter-name>
<filter-class>
com.section2.locale.LocaleServletFilter
</filter-class>
</filter>
<filter>
<filter-name>trinidad</filter-name>
<filter-class>org.apache.myfaces.trinidad.webapp.TrinidadFilter</filter-class>
</filter>
<filter>
<filter-name>ActiveUserFilter</filter-name>
<filter-class>com.section2.ActiveUserFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>trinidad</filter-name>
<servlet-name>Faces Servlet</servlet-name>
</filter-mapping>
<filter-mapping>
<filter-name>SetSecurityContextFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>SetLocaleFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>ActiveUserFilter</filter-name>
<url-pattern>/pages/section2/user/*</url-pattern>
</filter-mapping>
...
</web-app>
Thanks in advance.
How is the Filter code organized? Are you maybe calling first FilterChain#doFilter() and only thereafter doing the needed logic?
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
// Any code here will be executed BEFORE passing request through JSP/Servlet.
chain.doFilter(request, response);
// Any code here will be executed AFTER passing request through JSP/Servlet.
}
Thanks for your replies - I have now understood the issue fully...it only happens for the login.jsp page, none of the other pages. And in my case, the login .jsp page is a special case because it is usually viewed as a result of a redirect.
In the web.xml:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login.jsp?error=true</form-error-page>
</form-login-config>
</login-config>
And I presume because of this, the filters are not hit in the usual order! Added a call from the login page to do what the filter does and all is well.
Thanks again.
The reason that the filter's weren't called for login.jsp is that Tomcat's interpretation of the spec is that authentication is part of the container, not part of the webapp, and so occurs outside the role of filters. Hence filters aren't applied to the login page (login.jsp in this case) or j_security_check.
ref: https://issues.apache.org/bugzilla/show_bug.cgi?id=21795 - the title only references j_security_check, but the discussion covers the whole form-based authentication mechanism.
One obvious error is in the trinidad filter mapping. It should not have a servlet-name, but a url-pattern.
I had the same problem when I wrote:
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
if(...) {
response.sendRedirect(url);
}
chain.doFilter(request, response);
}
instead
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) {
if(...) {
response.sendRedirect(url);
return;
}
chain.doFilter(request, response);
}