{"id":50,"date":"2014-03-02T10:57:26","date_gmt":"2014-03-02T10:57:26","guid":{"rendered":"http:\/\/www.solewing.org\/blog\/?p=50"},"modified":"2014-07-08T18:51:17","modified_gmt":"2014-07-08T18:51:17","slug":"jsf-resources-and-security-constraints-in-web-xml","status":"publish","type":"post","link":"http:\/\/www.solewing.org\/blog\/2014\/03\/jsf-resources-and-security-constraints-in-web-xml\/","title":{"rendered":"JSF Resources and Security Constraints in web.xml"},"content":{"rendered":"

If your JSF application uses the standard Java Servlet security mechanisms (<security-role><\/code>, <security-constraint><\/code>, <login-config><\/code>, et al<\/em>), and your application allows a mixture of public and non-public access, you’ll probably want to make the JSF resource library available to the browsers of both public and non-public users.<\/p>\n

Assuming that you’re using the JSF resource library mechanisms (like <h:outputStylesheet><\/code>), you’ll need this security constraint:<\/p>\n

[xml]
\n
\n
\n Public Resources<\/web-resource-name>
\n \/javax.faces.resource\/*<\/url-pattern>
\n <\/web-resource-collection>
\n
\n
\n <\/security-constraint>
\n[\/xml]<\/p>\n

If (like me) you’re mixing use of JSF tags like (<h:outputStylesheet><\/code>) with some direct references to resources, you’ll also want to include a URL pattern that allows that direct access:<\/p>\n

[xml]
\n
\n
\n Public Resources<\/web-resource-name>
\n \/javax.faces.resource\/*<\/url-pattern>
\n \/resources\/*<\/url-pattern>
\n <\/web-resource-collection>
\n
\n
\n <\/security-constraint>
\n[\/xml]<\/p>\n

Since these security constraints don’t specify an auth constraint, they are accessible to any browser that requests them. As noted, you can still include a <user-data-constraint><\/code> to enable SSL, if you like.<\/p>\n","protected":false},"excerpt":{"rendered":"

If your JSF application uses the standard Java Servlet security mechanisms (<security-role>, <security-constraint>, <login-config>, et al), and your application allows a mixture of public and non-public access, you’ll probably want to make the JSF resource library available to the browsers of both public and non-public users. Assuming that you’re using the JSF resource library mechanisms […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[10,2,13,12],"class_list":["post-50","post","type-post","status-publish","format-standard","hentry","category-jsf-2","tag-java-2","tag-jsf","tag-security-constraint","tag-servlet"],"_links":{"self":[{"href":"http:\/\/www.solewing.org\/blog\/wp-json\/wp\/v2\/posts\/50","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.solewing.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.solewing.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.solewing.org\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.solewing.org\/blog\/wp-json\/wp\/v2\/comments?post=50"}],"version-history":[{"count":6,"href":"http:\/\/www.solewing.org\/blog\/wp-json\/wp\/v2\/posts\/50\/revisions"}],"predecessor-version":[{"id":61,"href":"http:\/\/www.solewing.org\/blog\/wp-json\/wp\/v2\/posts\/50\/revisions\/61"}],"wp:attachment":[{"href":"http:\/\/www.solewing.org\/blog\/wp-json\/wp\/v2\/media?parent=50"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.solewing.org\/blog\/wp-json\/wp\/v2\/categories?post=50"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.solewing.org\/blog\/wp-json\/wp\/v2\/tags?post=50"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}