Which XHTML files do I need to put in /WEB-INF and which not?

后端未结

关注

 1  1231

庸人自扰 2020-11-22 15:29

After these questions:

https://stackoverflow.com/questions/8589315/jsf2-dynamic-template
Dynamic ui:include
How can I retrieve an object on @

1条回答

时光取名叫无心 (楼主)

2020-11-22 15:51
Files in /WEB-INF folder are indeed not publicly accessible by enduser. So you cannot have something like http://localhost:8080/contextname/WEB-INF/some.xhtml. That would be a potential security hole as the enduser would be able to view among others /WEB-INF/web.xml and so on.

You can however use the /WEB-INF folder to put master template files, include files and tag files in. For example, the following template client page.xhtml which is placed outside /WEB-INF and is accessible by http://localhost:8080/contextname/page.xhtml:
```
    
        ...
        
        ...
    
```
The advantage of placing master templates and include files in /WEB-INF is that the enduser won't be able to open them directly by entering/guessing its URL in the browser addres bar. The normal pages and template clients which are intented to be accessed directly must not be placed in /WEB-INF folder.

By the way, the composite component files are in turn also not supposed to be publicly accessible, however they are by specification required to be placed in /resources folder which is by default publicly accesible. If you make sure that you access all resources using the therefor provided components so that they are never accessed by /resources in URL (but instead by /javax.faces.resource), then you can add the following constraint to web.xml to block all public access to the /resources folder:
```
    Restrict direct access to the /resources folder.
    
        The /resources folder.
        /resources/*
    
    
 
```
0 讨论(0)
发布评论:

提交评论
- 加载中...