En l'instant précis du 19/04/07 11:17, Zohner, Michael s'exprimait en
ces termes:
> How to do that ?
>
Obviously by having more appropriate <url-pattern/> in your
<web-resource-collection/>
> It would be also ok to protect the whole directory (so, then it is
> independent, which suffix the pages have).
>
> But who can I get this working ?
>
> -----Original Message-----
> From: David Delbecq [mailto:[EMAIL PROTECTED]
> Sent: 19 April 2007 11:17
> To: MyFaces Discussion
> Subject: Re: Security - protect JSF pages (.xhtml) via security in web.xml ->
> DOES NOT WORK ? -> THE WEB.XML !
>
> your security constraint's url pattern
> <url-pattern>/rule/ruleList.xhtml</url-pattern>
>
> Only prevent unauthorized users from pointing their browser at
> http://server/yourWebapp//rule/ruleList.xhtml
>
> It does not prevent them from pointing browser to
> http://server/yourWebapp/rule/ruleList.faces or
> http://server/yourWebapp/rule/ruleList.jsf
>
> you probably want to have url pattern for .faces and .jsf instead of .xhtml
>
>
> En l'instant précis du 19/04/07 10:52, Zohner, Michael s'exprimait en ces
> termes:
>
>> Hi,
>>
>> I dont know if I really understood Martins proposal.
>>
>> We have to use the scurity constraint I think.
>>
>> Here is the web.xml:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>>
>> <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee";
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>> xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
>> http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";>
>> <description>Data Staging area for Static data</description>
>> <display-name>App</display-name>
>>
>> <filter>
>> <display-name>Ajax4jsf Filter</display-name>
>> <filter-name>ajax4jsf</filter-name>
>> <filter-class>org.ajax4jsf.FastFilter</filter-class>
>> </filter>
>>
>> <!-- Tomahawk stuff -->
>> <filter>
>> <filter-name>extensionsFilter</filter-name>
>> <!-- Old: org.apache.myfaces.component.html.util.ExtensionsFilter -->
>>
>> <filter-class>org.apache.myfaces.webapp.filter.ExtensionsFilter</filter-class>
>> <init-param>
>> <description></description>
>> <param-name>maxFileSize</param-name>
>> <param-value>2m</param-value>
>> </init-param>
>> <init-param>
>> <param-name>uploadThresholdSize</param-name>
>> <param-value>100k</param-value>
>> </init-param>
>> </filter>
>>
>>
>> <filter-mapping>
>> <filter-name>ajax4jsf</filter-name>
>> <servlet-name>faces</servlet-name>
>> <dispatcher>REQUEST</dispatcher>
>> <dispatcher>FORWARD</dispatcher>
>> <dispatcher>INCLUDE</dispatcher>
>> </filter-mapping>
>> <filter-mapping>
>> <filter-name>extensionsFilter</filter-name>
>> <servlet-name>faces</servlet-name>
>> </filter-mapping>
>> <filter-mapping>
>> <filter-name>extensionsFilter</filter-name>
>> <url-pattern>/faces/myFacesExtensionResource/*</url-pattern>
>> </filter-mapping>
>>
>> <context-param>
>> <description></description>
>> <param-name>javax.faces.CONFIG_FILES</param-name>
>> <param-value>
>> /WEB-INF/faces-beans.xml,/WEB-INF/faces-nav.xml
>> </param-value>
>> </context-param>
>>
>> <context-param>
>> <description></description>
>> <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
>> <param-value>server</param-value>
>> </context-param>
>>
>> <!-- IMPORTANT for ajax4jsf -->
>> <context-param>
>> <param-name>org.ajax4jsf.VIEW_HANDLERS</param-name>
>> <param-value>com.sun.facelets.FaceletViewHandler</param-value>
>> </context-param>
>>
>> <!-- Use Documents Saved as *.xhtml --> <context-param>
>> <param-name>javax.faces.DEFAULT_SUFFIX</param-name>
>> <param-value>.xhtml</param-value>
>> </context-param>
>>
>> <context-param>
>> <param-name>facelets.REFRESH_PERIOD</param-name>
>> <param-value>2</param-value>
>> </context-param>
>>
>> <context-param>
>> <param-name>facelets.DEVELOPMENT</param-name>
>> <param-value>true</param-value>
>> </context-param>
>>
>> <context-param>
>> <param-name>com.sun.faces.validateXml</param-name>
>> <param-value>true</param-value>
>> </context-param>
>>
>> <context-param>
>> <param-name>com.sun.faces.verifyObjects</param-name>
>> <param-value>true</param-value>
>> </context-param>
>>
>> <context-param>
>> <param-name>org.ajax4jsf.SKIN</param-name>
>> <param-value>dkib</param-value>
>> </context-param>
>>
>> <context-param>
>> <param-name>facelets.LIBRARIES</param-name>
>> <param-value>
>>
>> /WEB-INF/taglib/tomahawk.taglib.xml;/WEB-INF/taglib/facestrace.taglib.xml
>> </param-value>
>> </context-param>
>>
>> <context-param>
>> <description></description>
>> <param-name>org.apache.myfaces.ALLOW_JAVASCRIPT</param-name>
>> <param-value>true</param-value>
>> </context-param>
>>
>> <context-param>
>> <param-name>org.apache.myfaces.DETECT_JAVASCRIPT</param-name>
>> <param-value>false</param-value>
>> </context-param>
>>
>> <context-param>
>> <description></description>
>> <param-name>org.apache.myfaces.PRETTY_HTML</param-name>
>> <param-value>true</param-value>
>> </context-param>
>>
>> <context-param>
>> <description></description>
>> <param-name>org.apache.myfaces.AUTO_SCROLL</param-name>
>> <param-value>true</param-value>
>> </context-param>
>>
>> <context-param>
>> <param-name>org.apache.myfaces.COMPRESS_STATE_IN_SESSION</param-name>
>> <param-value>false</param-value>
>> </context-param>
>>
>> <context-param>
>> <param-name>org.apache.myfaces.CHECK_EXTENSIONS_FILTER</param-name>
>> <param-value>false</param-value>
>> </context-param>
>>
>>
>> <servlet>
>> <servlet-name>faces</servlet-name>
>> <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
>> <load-on-startup>1</load-on-startup>
>> </servlet>
>>
>> <servlet>
>> <servlet-name>jsp</servlet-name>
>> <servlet-class>
>> org.apache.jasper.servlet.JspServlet
>> </servlet-class>
>> <init-param>
>> <param-name>keepgenerated</param-name>
>> <param-value>true</param-value>
>> </init-param>
>> <init-param>
>> <param-name>logVerbosityLevel</param-name>
>> <param-value>FATAL</param-value>
>> </init-param>
>> <init-param>
>> <param-name>classdebuginfo</param-name>
>> <param-value>true</param-value>
>> </init-param>
>> <init-param>
>> <param-name>enablePooling</param-name>
>> <param-value>false</param-value>
>> </init-param>
>> <load-on-startup>0</load-on-startup>
>> </servlet>
>>
>> <servlet>
>> <servlet-name>JspRedirector</servlet-name>
>> <jsp-file>/test/jspRedirector.jsp</jsp-file>
>> </servlet>
>>
>> <!-- Faces Servlet Mapping extension mapping --> <servlet-mapping>
>> <servlet-name>faces</servlet-name>
>> <url-pattern>*.jsf</url-pattern>
>> </servlet-mapping>
>>
>> <servlet-mapping>
>> <servlet-name>faces</servlet-name>
>> <url-pattern>*.faces</url-pattern>
>> </servlet-mapping>
>>
>> <servlet-mapping>
>> <servlet-name>JspRedirector</servlet-name>
>> <url-pattern>/JspRedirector</url-pattern>
>> </servlet-mapping>
>>
>> <servlet-mapping>
>> <servlet-name>jsp</servlet-name>
>> <url-pattern>*.jsp</url-pattern>
>> </servlet-mapping>
>>
>> <servlet-mapping>
>> <servlet-name>jsp</servlet-name>
>> <url-pattern>*.jspf</url-pattern>
>> </servlet-mapping>
>>
>> <session-config>
>> <session-timeout>600</session-timeout>
>> </session-config>
>>
>> <!-- Welcome files -->
>> <welcome-file-list>
>> <welcome-file>index.html</welcome-file>
>> <welcome-file>index.jsp</welcome-file>
>> <welcome-file>/jsf/index.jsf</welcome-file>
>> </welcome-file-list>
>> <error-page>
>> <error-code>401</error-code>
>> <location>/Http401Unauthorized</location>
>> </error-page>
>> <error-page>
>> <exception-type>java.lang.Throwable</exception-type>
>> <location>/ErrorCtrl</location>
>> </error-page>
>>
>> <jsp-config>
>> <taglib>
>> <taglib-uri>jstl-sql-rt.tld</taglib-uri>
>> <taglib-location>/WEB-INF/taglib/jstl-sql-rt.tld</taglib-location>
>> </taglib>
>> <taglib>
>> <taglib-uri>jstl-fmt.tld</taglib-uri>
>> <taglib-location>/WEB-INF/taglib/jstl-fmt.tld</taglib-location>
>> </taglib>
>> <taglib>
>> <taglib-uri>jstl-core.tld</taglib-uri>
>> <taglib-location>/WEB-INF/taglib/jstl-core.tld</taglib-location>
>> </taglib>
>> </jsp-config>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>SSL Scheduler Pages</web-resource-name>
>> <description />
>> <url-pattern>/scheduler/schedulerManager.xhtml</url-pattern>
>> <http-method>GET</http-method>
>> <http-method>PUT</http-method>
>> <http-method>POST</http-method>
>> </web-resource-collection>
>> <auth-constraint>
>> <description />
>> <role-name>RDSstaticdatadeveloper</role-name>
>> </auth-constraint>
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>> </security-constraint>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>SSL Rule Pages</web-resource-name>
>> <description />
>> <url-pattern>/rule/ruleList.xhtml</url-pattern>
>> <http-method>GET</http-method>
>> <http-method>PUT</http-method>
>> <http-method>POST</http-method>
>> </web-resource-collection>
>> <auth-constraint>
>> <description />
>> <role-name>RDSstaticdatarulesrw</role-name>
>> </auth-constraint>
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>> </security-constraint>
>>
>> <login-config>
>> <auth-method>CLIENT-CERT</auth-method>
>> <realm-name>gds</realm-name>
>> </login-config>
>>
>> <security-role>
>> <description>developer role - access to developer areas</description>
>> <role-name>RDSstaticdatadeveloper</role-name>
>> </security-role>
>>
>> <security-role>
>> <description>user who have permissions to maintain the rule
>> defintions</description>
>> <role-name>RDSstaticdatarulesrw</role-name>
>> </security-role>
>>
>> </web-app>
>>
>> Thanks a lot !
>>
>> -----Original Message-----
>> From: David Delbecq [mailto:[EMAIL PROTECTED]
>> Sent: 19 April 2007 10:49
>> To: MyFaces Discussion
>> Subject: Re: Security - protect JSF pages (.xhtml) via security in web.xml
>> -> DOES NOT WORK ?
>>
>> One of those
>> <url-pattern>/rule/ruleList.faces</url-pattern>
>> <url-pattern>/faces/rule/ruleList.xhtml</url-pattern>
>> <url-pattern>/faces/rule/*</url-pattern>
>> will most probably work better, depending on how you mapped your
>> facelets context. If not, please provide full web.xml so we can see
>> where problem is :)
>>
>> PS: security contraints apply to url submitted by browser, not internal
>> forwards that may appear as a result of JSF navigation rule.
>>
>>
>> En l'instant précis du 19/04/07 10:14, Zohner, Michael s'exprimait en ces
>> termes:
>>
>>
>>> Sorry, there was a small mistake:
>>>
>>> WRONG:
>>> So, when I become an "RDSstaticdatarulesrw" user, I can see the page.
>>> It has no effect.
>>>
>>> RIGHT:
>>> So, when I become ANOTHER USER than "RDSstaticdatarulesrw" user, I
>>> can see the page.
>>> So, all that has no effect.
>>>
>>>
>>> Regards
>>> Michael
>>>
>>>
>>> -----Original Message-----
>>> From: Zohner, Michael
>>> Sent: 19 April 2007 10:10
>>> To: MyFaces Discussion
>>> Subject: Security - protect JSF pages (.xhtml) via security in
>>> web.xml
>>> -> DOES NOT WORK ?
>>>
>>> Hi,
>>>
>>> I am trying to protect several pages in our jsf application (myFaces,
>>> facelets, richfaces).
>>>
>>> We have a security server where our users have specific roles.
>>>
>>> Its an https application.
>>>
>>> This is in my web.xml:
>>>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>SSL Rule Pages</web-resource-name>
>>> <description />
>>> <url-pattern>/rule/ruleList.xhtml</url-pattern>
>>> <http-method>GET</http-method>
>>> <http-method>PUT</http-method>
>>> <http-method>POST</http-method>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <description />
>>> <role-name>RDSstaticdatarulesrw</role-name>
>>> </auth-constraint>
>>> <user-data-constraint>
>>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>> </user-data-constraint>
>>> </security-constraint>
>>>
>>> So, when I become an "RDSstaticdatarulesrw" user, I can see the page.
>>> It has no effect.
>>>
>>> When I write <url-pattern>/rule/*</url-pattern> instead of
>>> <url-pattern>/rule/ruleList.xhtml</url-pattern>, I cannot see ANY pages.
>>> Also not the pages which are NOT in directory "rule".
>>>
>>> So, HOW can I get this working ?
>>>
>>> The best would be to protect whole dirs and single pages.
>>>
>>> Best regards
>>> Michael
>>>
>>>
>>> ________________
>>> Dresdner Bank AG
>>> Sitz/Registered Office: Frankfurt am Main, Handelsregister/Commercial
>>> Register: Amtsgericht/Local Court, Frankfurt am Main, HRB 14000
>>> Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board:
>>> Michael Diekmann Vorstand/Board of Managing Directors: Herbert Walter
>>> (Vorsitzender/Chairman), Andreas Georgi, Stefan Jentzsch, Wulf Meier,
>>> Andree Moschner, Klaus Rosenfeld, Otto Steinmetz, Friedrich Woebking
>>>
>>> This e-mail is confidential and the information contained in it may
>>> be privileged. It should not be read, copied or used by anyone other
>>> than the intended recipient. If you have received it in error,
>>> please contact the sender immediately by telephoning +44 (0)20 7623
>>> 8000 or by return email, and delete the e-mail and do not disclose
>>> its contents to any person. We believe, but do not warrant, that
>>> this e-mail and any attachments are virus free, but you must take
>>> full responsibility for virus checking. Please refer to
>>> http://www.dresdnerkleinwort.com/disc/email/ and read our e-mail
>>> disclaimer statement and monitoring policy.
>>> ________________
>>>
>>>
>>> ________________
>>> Dresdner Bank AG
>>> Sitz/Registered Office: Frankfurt am Main, Handelsregister/Commercial
>>> Register: Amtsgericht/Local Court, Frankfurt am Main, HRB 14000
>>> Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board:
>>> Michael Diekmann Vorstand/Board of Managing Directors: Herbert Walter
>>> (Vorsitzender/Chairman), Andreas Georgi, Stefan Jentzsch, Wulf Meier,
>>> Andree Moschner, Klaus Rosenfeld, Otto Steinmetz, Friedrich Woebking
>>>
>>> This e-mail is confidential and the information contained in it may be
>>> privileged. It should not be read, copied or used by anyone other than the
>>> intended recipient. If you have received it in error, please contact the
>>> sender immediately by telephoning +44 (0)20 7623 8000 or by return email,
>>> and delete the e-mail and do not disclose its contents to any person. We
>>> believe, but do not warrant, that this e-mail and any attachments are virus
>>> free, but you must take full responsibility for virus checking. Please
>>> refer to http://www.dresdnerkleinwort.com/disc/email/ and read our e-mail
>>> disclaimer statement and monitoring policy.
>>> ________________
>>>
>>>
>>>
>>>
>> ________________
>> Dresdner Bank AG
>> Sitz/Registered Office: Frankfurt am Main, Handelsregister/Commercial
>> Register: Amtsgericht/Local Court, Frankfurt am Main, HRB 14000
>> Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board:
>> Michael Diekmann Vorstand/Board of Managing Directors: Herbert Walter
>> (Vorsitzender/Chairman), Andreas Georgi, Stefan Jentzsch, Wulf Meier,
>> Andree Moschner, Klaus Rosenfeld, Otto Steinmetz, Friedrich Woebking
>>
>> This e-mail is confidential and the information contained in it may be
>> privileged. It should not be read, copied or used by anyone other than the
>> intended recipient. If you have received it in error, please contact the
>> sender immediately by telephoning +44 (0)20 7623 8000 or by return email,
>> and delete the e-mail and do not disclose its contents to any person. We
>> believe, but do not warrant, that this e-mail and any attachments are virus
>> free, but you must take full responsibility for virus checking. Please
>> refer to http://www.dresdnerkleinwort.com/disc/email/ and read our e-mail
>> disclaimer statement and monitoring policy.
>> ________________
>>
>>
>>
>
>
> ________________
> Dresdner Bank AG
> Sitz/Registered Office: Frankfurt am Main, Handelsregister/Commercial
> Register: Amtsgericht/Local Court, Frankfurt am Main, HRB 14000
> Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Michael
> Diekmann
> Vorstand/Board of Managing Directors: Herbert Walter (Vorsitzender/Chairman),
> Andreas Georgi, Stefan Jentzsch, Wulf Meier, Andree Moschner, Klaus
> Rosenfeld, Otto Steinmetz, Friedrich Woebking
>
> This e-mail is confidential and the information contained in it may be
> privileged. It should not be read, copied or used by anyone other than the
> intended recipient. If you have received it in error, please contact the
> sender immediately by telephoning +44 (0)20 7623 8000 or by return email, and
> delete the e-mail and do not disclose its contents to any person. We
> believe, but do not warrant, that this e-mail and any attachments are virus
> free, but you must take full responsibility for virus checking. Please refer
> to http://www.dresdnerkleinwort.com/disc/email/ and read our e-mail
> disclaimer statement and monitoring policy.
> ________________
>
>
