tags:

views:

373

answers:

4
+1  Q: 

Protecting internal view layer template pages in servlet applications

I have a very basic question about MVC web applications in Java.

Since the olden days of raw JSP up until current technologies like Seam, a very basic pattern has always been the internal dispatch from the controller that initially accepted the request to the view layer that creates the output to be sent to the client.

This internal dispatch is generally done (although the mechanism may be hidden through an extra layer of configuration) by asking the servlet container for a new resource using a URL. The mapping of these URL are done by the same web.xml that also defines the "real" URL to the outside.

Unless special measures are taken, it is often possible to directly access the view layer directly. Witness the Seam "registration" demo, where you can bypass "register.seam" and directly go to "registered.xhtml". This is a potential security problem. At the very least, it leaks view template source code.

I am aware that this is only a basic sample application, but it is also strange that any extra measures should need to be taken to declare these internal resources invisible to the outside.

What is the easiest way to restrict URL entry points?

Is there maybe something like the "WEB-INF" directory, a magic URL path component that can only be accessed by internal requests?

+1  A: 

I would not recommend allowing Internet requests to directly access your appserver. I'd throw a webserver in front, then in it, allow the request of certain kinds of URLs. Don't want people to go to foo.com/jsps? Restrict it once and for all there.

There's a bit of a conversation on the topic here: hiding pages behind WEB-INF?

trenton  2008-10-01 02:38:01
Proxying through a web server is certainly a good thing for performance and security and integration with other applications, but I am not sure that I want to tightly couple the web server's configuration (likely maintained by network admins) with the internals of the applications URL scheme.
Thilo  2008-10-01 02:46:10
+1  A: 

One way to handle this would be to construct a Servlet Filter which examines the request path of every request and handles each request accordingly. Here is a link that could help get you started, JavaServer Pages (JSP) and JSTL - Access control with JSP

TomC  2008-10-01 03:55:01
+2  A: 

You can prevent access to internal resources by using a security-constraint in your web.xml deployment descriptor.

For example, I use the following configuration to prevent direct access to JSPs:

<!-- Prevent direct access to JSPs. -->
<security-constraint>
    <web-resource-collection>
     <web-resource-name>JSP templates</web-resource-name>
     <url-pattern>*.jsp</url-pattern>
    </web-resource-collection>
    <auth-constraint/> <!-- i.e. nobody -->
</security-constraint>
Simon Lieschke  2009-01-17 14:37:06
A: 

I have now seen a couple of applications that put their internal JSP into WEB-INF/jsp. That seems to do the trick, at least for JSP, and also for Velocity. It does not seem to work for JSF, though.

Thilo  2010-01-12 01:06:58
The OP already mentioned "something like as `WEB-INF`", so I assume that he knew of it, but didn't want to use it for some reasons. A `security-constraint` is the best solution to that.
BalusC  2010-01-12 02:44:15
While I knew that files in WEB-INF will not be made available for direct HTTP access, it did, in fact, not occur to me at the time that WEB-INF would also hide JSP from the outside. I prefer that over a security-constraint. Convention over configuration.
Thilo  2010-01-12 03:30:04

related questions

What is the best architecture to bridge to XMPP?
How to expose a collection property?
How do you build a ratings implementation?
Alternative "architectural" approaches to javaScript client code?
Split data access class into reader and writer or combine them?
Guide to choosing between REST vs SOAP services?
Best architecture for handling file system changes?
Globalization architecture
How Did You Decide Between WISA and LAMP?
Best Blogs for Software Architecture
Experience documentation about Shared Nothing Architecture
Agile architectures
VS.NET Application Diagrams
Documenting program architecture
Books for software architect
How do you do system integration?
Design debate: what are good ways to store and manipulate versioned objects?
Passing more parameters in C function pointers
Send messages to program through command line
Interfaces on different logic layers
How to structure a java application, in other words: where do I put my classes?
Are there any negative reasons to use an N-Tier solution?
Linux - files and scripts that execute on boot
Good STL-like library for C.
Best way to allow plugins for a PHP application