Protecting internal view layer template pages in servlet applications

StackOverflow https://stackoverflow.com/questions/156002

  •  03-07-2019
  •  | 
  •  

Question

I have a very basic question about MVC web applications in Java.

Since the olden days of raw JSP up until current technologies like Seam, a very basic pattern has always been the internal dispatch from the controller that initially accepted the request to the view layer that creates the output to be sent to the client.

This internal dispatch is generally done (although the mechanism may be hidden through an extra layer of configuration) by asking the servlet container for a new resource using a URL. The mapping of these URL are done by the same web.xml that also defines the "real" URL to the outside.

Unless special measures are taken, it is often possible to directly access the view layer directly. Witness the Seam "registration" demo, where you can bypass "register.seam" and directly go to "registered.xhtml". This is a potential security problem. At the very least, it leaks view template source code.

I am aware that this is only a basic sample application, but it is also strange that any extra measures should need to be taken to declare these internal resources invisible to the outside.

What is the easiest way to restrict URL entry points?

Is there maybe something like the "WEB-INF" directory, a magic URL path component that can only be accessed by internal requests?

Was it helpful?

Solution 4

I have now seen a couple of applications that put their internal JSP into WEB-INF/jsp. That seems to do the trick, at least for JSP, and also for Velocity. It does not seem to work for JSF, though.

OTHER TIPS

You can prevent access to internal resources by using a security-constraint in your web.xml deployment descriptor.

For example, I use the following configuration to prevent direct access to JSPs:

<!-- Prevent direct access to JSPs. -->
<security-constraint>
    <web-resource-collection>
        <web-resource-name>JSP templates</web-resource-name>
        <url-pattern>*.jsp</url-pattern>
    </web-resource-collection>
    <auth-constraint/> <!-- i.e. nobody -->
</security-constraint>

I would not recommend allowing Internet requests to directly access your appserver. I'd throw a webserver in front, then in it, allow the request of certain kinds of URLs. Don't want people to go to foo.com/jsps? Restrict it once and for all there.

There's a bit of a conversation on the topic here: hiding pages behind WEB-INF?

One way to handle this would be to construct a Servlet Filter which examines the request path of every request and handles each request accordingly. Here is a link that could help get you started, JavaServer Pages (JSP) and JSTL - Access control with JSP

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top