Some of the MyFaces users have noticed it is possible to access secure
resources (like the deployment descriptor) when the front controller is mapped
to the same URL pattern as the Filter.
<servlet-mapping>
<servlet-name>fooServlet</servlet-name>
<url-pattern>/foo/*</url-pattern>
</servlet-mapping>
<filter-mapping>
<filter-name>fooFilter</filter-name>
<url-pattern>/foo/*</url-pattern>
</filter-mapping>
Consider the following 3 line doFilter implementation ...
HttpServletRequest httpRequest = (HttpServletRequest) req;
log.info(" " + httpRequest.getPathInfo() );
chain.doFilter(httpRequest, res);
If the request is http://domain.com:8080/contextName/foo/WEB-INF/web.xml ,
getPathInfo() returns /WEB-INF/web.xml and the DD is streamed to the client.
http://domain.com:8080/contextName/foo/WEB-INF/classes lets you browse the
classes dir.
I have observed this with both Tomcat and Jetty.
I was wondering if there was any particular pattern for dealing with this,
other than doing a bunch of String.equals checks.
http://issues.apache.org/jira/browse/MYFACES-1008
Dennis Byrne
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
