I'm trying to restrict access to JSF pages based on user roles. I saw lot of examples using filter. So I'm good there. I tried to put my xhtml files within "secured" folder under webapp folder that I need to protect. one of the xhtml file that I need to allow access to "admin" users is newAuth.xhtml and I have it inside the "secured" folder. On my menu page for the link which accesses "newAuth.xhtml" I gave the path including the "secured" folder. So the page comes up with url "server:port/signer/secured/newAuth.xhtml". Now when I tried to remove the "secured" path from the browser url, it still displays this page. I have the below mapping for FacesServlet in my web.xml.
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
I'm not sure how to protect the page from displaying when the path /secured is removed from the url.
UPDATE:
Leo, may be I should have explained my problem better in first place.
I wanted to implement the security filter based on the path in the url. If the url has /secured and if the user is non-admin then I would redirect them to some default page. This was my idea and so I placed all the restricted xhtml to the secured folder under webapp folder. For example newAuth.xhtml is a restricted xhtml page which only admin should have access. This page was accessible by the below url.
"protocol://server:port/signer/secured/newAuth.xhtml"
Then I tried to remove the /secured from the url, but the same page displays. Somehow the JSF was able to find the xhtml even without the /secured path. This behaviour will go against my security filter logic which will look for /secured in the url path.
Related
I am unable to set a default page that loads in the browser when I start a Java EE project using Tomcat 8.0 from Eclipse.
I am trying to learn JSF, so I followed this tutorial
Everything works fine, but I can only see the created pages when I right click on the login.xhtml or welcome.xhtml file and choose "Run As/Run on Server".
So far, all the other web applications I have created loaded default page when I started the entire project. The default behavior is to load index.html page (or maybe index.jsp if there is some). So I added index.html and index.xhtml pages into my WEB-INF folder in the project, hoping that at least one of them will be shown. However, nothing happens. The browser always shows just the page on localhost:8080/JSFFaceletsTutorial/ URL, but the page is white clean, not even an error message. I think I have been getting error 404 in the process of solving this issue along the way, however, I am no longer able to reproduce this error and I don't remember what caused it.
I found that it's possible to change the default starting page
However, it doesn't work for me either. Regardless if I edit the web.xml file or not, I am getting the same result.
What is even more puzzling, is that when I tried to change the web browser: "Window/Web Browser/..." it acted for a while differently in the external web browsers than in the internal Eclipse web browser. The internal had always blank page - but the external web browsers once managed to show the index.html page - but it was some outdated version. Despite I made absolutely sure that I edited it, saved the changes, restarted the server... and still, it showed me the outdated version of the page.
And even in this case, it still ignored the changes made in the web.xml file.
But when I am trying it now, it again shows blank white page in all browsers. I am not aware of any change I made except for editing web.xml file...
My guess is that the problem is in the JSF technology I don't fully grasp yet. It's because when I choose to run the login.xhtml and welcome.xhtml pages using right click "Run As/Run on Server", the URL of those pages are on localhost:8080: with path /JSFFaceletsTutorial/faces/login.xhtml and /JSFFaceletsTutorial/faces/welcome.xhtml. That is weird, because I don't have any directory "faces" in my project.
Typing all possible permutations of:
<welcome-file-list>
<welcome-file>faces/index.html</welcome-file>
<welcome-file>faces/index.xhtm</welcome-file>
</welcome-file-list>
in the web.xml didn't help either. It didn't help when I typed the full address there either.
Here are warnings I am getting in the console (I skipped the INFO log entries):
"Dec 19, 2014 9:39:55 AM org.apache.tomcat.util.digester.SetPropertiesRule begin
WARNING: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting property 'source' to 'org.eclipse.jst.jee.server:JSFFaceletsTutorial' did not find a matching property.
...
WARNING: JSF1074: Managed bean named 'loginBean' has already been registered. Replacing existing managed bean class type com.tutorial.LoginBean with com.tutorial.LoginBean.
Dec 19, 2014 9:39:57 AM org.apache.coyote.AbstractProtocol start"
I am not sure this is helpful though.
I am out of ideas now.
First of all, the <welcome-file> does not represent the path to the "default home page". It represents the filename of the physical file contained in the folder which you'd like to serve up as default file when a folder like /, /foo/, /foo/bar/, etc is requested.
So, in JSF 2.x flavor, that would basically be:
<welcome-file-list>
<welcome-file>index.xhtml</welcome-file>
</welcome-file-list>
This way, if the enduser requests / and you have /index.xhtml, then it will be served. Or, if the enduser requests /foo and you have /foo/index.xhtml, then it will be served, etc. If there is no such file, then a 404 error will be returned.
Now, you appear to have mapped your FacesServlet on a prefix <url-pattern> of /faces/*. This is a leftover from JSF 1.0/1.1 ages and really not recommended these days. Perhaps you were reading an outdated tutorial targeted at JSF 1.x, or a poorly maintained tutorial which was originally written for JSF 1.x and then uncarefully updated for JSF 2.x instead of rewritten from scratch.
That tutorial did also not seem to have explained you some servlet basics. Namely, in order to get JSF components in the XHTML page to run and generate some HTML output, the FacesServlet has to be invoked when the XHTML page is being requested. When you request the XHTML page like so /index.xhtml, while the FacesServlet is being mapped on /faces/*, then it won't be invoked. The browser would then retrieve the raw unparsed JSF source code instead of the generated HTML output. You can see it by rightclick, View Source in webbrowser. You should have requested the page like so /faces/index.xhtml so that the FacesServlet can run and produce HTML output which the browser can understand and present.
That only doesn't go well together with welcome files. This totally explains why you get a "clean white" (blank) page when using index.xhtml as welcome file (some inferior webbrowsers like IE would confusingly prompt a download dialog because of missing/wrong content type on the response containing raw XHTML source code). The FacesServlet was simply not being invoked. Just get rid of the old fashioned /faces/* URL pattern and use the JSF 2.x minded *.xhtml URL pattern instead.
<servlet-mapping>
<servlet-name>facesServlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
This way the welcome files should work and you can just open JSF pages by directly requesting its physical URL without hassling with virtual URLs. This was not possible in JSF 1.x because it would let the FacesServlet run in an infinite loop calling itself and cause a stack overflow.
See also:
JSF Facelets: Sometimes I see the URL is .jsf and sometimes .xhtml. Why?
Setting application URL on WAS server, where does /faces/ come from?
What is the difference between creating JSF pages with .jsp or .xhtml or .jsf extension
Why can web.xml welcome-file be located inside WEB-INF
How to use a sub-folder as web.xml welcome directory
As to those warnings, they are unrelated but quite googlable.
i think this will work
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.xyz.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.xyz.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
<welcome-file-list>
<welcome-file>/main/login.xhtml</welcome-file>
</welcome-file-list>
<!-- <servlet>
<servlet-name>login</servlet-name>
<servlet-class>com.xyz.servlets.login</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>login</servlet-name>
<url-pattern>/login</url-pattern>
</servlet-mapping> -->
</web-app>
You can set a default page in the web.xml file to have the facesServlet invoked in JSF in 2 ways:
<web-app xmlns="http://xmlns.xyz.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.xyz.org/xml/ns/javaee http://xmlns.xyz.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
<servlet>
<servlet-name>facesServlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>facesServlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.xhtml</welcome-file>
</welcome-file-list>
</web-app>
or invoke the facesServlet directly from the welcome file like this:
<web-app xmlns="http://xmlns.xyz.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.xyz.org/xml/ns/javaee http://xmlns.xyz.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
<welcome-file-list>
<welcome-file>faces/index.xhtml</welcome-file>
</welcome-file-list>
</web-app>
I hope it helps somebody!
I am trying to include my stylesheets within the <h:head> tag utilising the following JSF tag: <h:outputStylesheet name="stylesheets/bootstrap.min.css" />, however when I load my page I get RES_NOT_FOUND for this specific CSS resource when looking through dev tools in the web browser.
I am trying to call the stylesheet within one of my template files I have created, "default.xhtml". Please refer to the image attached below to see my project directory structure, and where the red arrow indicates where the tag is being utilised.
Within the default.xhtml template, I have defined the <h:head> tags although it appears to still not be working. Is there anything I am missing which is not allowing this to be loaded?
If you require more information, please let me know. I would like to resolve this issue as quickly as possible.
I figured out the issue here.
By default, I believe that JSF resource handling mechanism does not support for mapping the resource directory which resides in the WEB-INF directory. In order to overwrite this default, you need to explicitly define a new <context-param> within the project web.xml file.
The following fragment of code below specifies the directory used for resource lookup in the file system of the web application.
<context-param>
<param-name>javax.faces.WEBAPP_RESOURCES_DIRECTORY</param-name>
<param-value>/WEB-INF/resources</param-value>
</context-param>
I am getting below error.
FAIL - Application at context path /sampleJSF could not be started
I want to change my welcome file location. I have a index.jsp page at WEB-INF/pages/index.jsp. How can I modify servlet mapping and welcome file list to achive this?
Here is my servlet-mapping and welcome-file-list from web.xml.
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>WEB-INF/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>WEB-INF/pages/index.jsp</welcome-file>
</welcome-file-list>
It look like that you misunderstood the purpose of both the welcome file setting and the /WEB-INF folder.
The welcome file must represent the name of the file which the server should serve from the current folder when a folder is been requested instead of a file in URL. E.g. /, /foo/, /bar/, etc. So, when you set it to index.jsp, then it will serve /index.jsp when / is requested, and /foo/index.jsp when /foo/ is requested, etc.
The /WEB-INF folder is for files which shouldn't be independently publicly accessible. For example, include files, template files, error files, tag files, configuration files, etcetera. Mapping the Faces Servlet on /WEB-INF makes no utter sense as the servlet container already restricts direct (public) access to /WEB-INF folder when the enduser purposefully enters the /WEB-INF folder in the URL.
Undo all those changes you made on the sample web application. They make simply no sense. Whatever functional requirement you had in mind for which you incorrectly thought that this is the right solution must be solved differently.
Unrelated to the concrete problem, it look like that you're just getting started with JSF, but do you know that JSP is deprecated since JSF 2.0 in 2009? Are you absolutely positive that you're learning JSF based on the right and up to date resources? I strongly recommend to do so, or you will end up having confusion headache and code disaster. Start at our JSF wiki page.
When I request /personal/faces/public/login.xhtml, then it works fine, but when I request /personal/public/login.xhtml without /faces I obtain the raw source code of the page.
I would like to avoid that people could see the source code of the page. How can I achieve this?
This is happening because you've specified /faces/* in your FacesServlet configuration in the web.xml. As a result, any file requested that does not match the specified url pattern will be served as a regular file with a GET request
Change that config to the following to ensure all JSF related requests go through the FacesServlet:
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
This ensures all files with .xhtml extension will be processed before returning to the client.
While the above solution may solve the immediate problem, what you're experiencing points to a deeper security issue. It indicates that anyone with a browser can request and download artifacts from your web application deployment and possibly other parts of your filesystem. This is a security hole you will need to look into. The options vary depending on your App server
I am developing a jsf application, and my application is already on the production environment. But there is something i want to know: if my domain name is: "mydomain.com" and in my application the home page is: "home.jsf", i would like my application to display the home page directly when i visit: www.mydomain.com
But what is happening now is to get my home page to display, i must write: www.mydomain.com/home.jsf . This seems to me very tedious.
Does anyone know a way to do this?
Just mention the welcome file in your web.xml as follows:
<welcome-file-list>
<welcome-file>home.jsf</welcome-file>
</welcome-file-list>
As far as JSF is concern, adding a simple welcome file wont produce good result. In addition to home.xhtml file, create an empty home.jsf file.. the server will not run the empty file (home.jsf) , wherelse it will proceed with home.xhtml. Then declare the welcome file in web.xml. for more have a look at this answer https://stackoverflow.com/a/4618142/839393