I am developing a JSF application and the archive (war) will be given to multiple customers and will be separately deployed on their own Tomcat servers. This is just a front end application and it uses web services to communicate with a remote server.
In my JSF application, some tabs and panels are conditionally rendered according to the ORG_ID and Roles of the logged in user. All these restrictions are written in .xhtml pages as ELs:
<rich:tab header="Registration" rendered="#{permissionController.hasSuperRole()}"/>
Since this application is deployed in customers premises, they can edit the .xhtml files and remove these restrictions. Is there a way to overcome this issue by encrypting xhtml files, checking last modified date...?
This issue is totally not related to java jsf or (x)html. It is the generic issue that you should never trust the client (like you never should in e.g. a webapplication where a user can manipulate the html/javascript in the browser)
Solution: Just do additional authorization in the webservices.
Related
I'm researching using JSP for a project that could be accessed locally and over the web. That is, I would be creating the project in JSP and would like to generate a kind of setup.exe that the client would run to set up the environment to run the JSP in their browser. For example, if I were to choose Tomcat, do I create a setup program that also installs Tomcat and then stores the JSP application in the proper directory? More specially, for those in the industry that program JSP professionally, how does your company deploy a JSP application to the client? If you host the JSP application on your server what about a solution where the client hosts a local server so they can run the application locally on their machine? Is that possible?
I think you have some confusion. In a JSP-based application (note that that technology is very old and you should use JSF instead) there are two sides: the server side and the client side.
The server side has Tomcat or any other Web Application Server that
deploys the JSPs as you said.
The client side just needs a browser (e.g. Mozilla, Chrome, Lynx,
etc) to access the JSP-based application via Web.
In other words, you don't deploy in client machines. You just deploy in the server and your clients access your application with, normally, a Web browser.
Further reading:
Java JSP, JSF and JS.
Difference between JSF sevlet and JSP
I have set up my two applications in single tomcat instance using the procedure described in Can I SSO between multiple Wars in the same servlet with Stormpath and Apache Shiro?
Both of the WARs run fine individually with the users registered in Stormpath directory. But when I link the two applications and do successful login in War A, still redirected to the Login Page of WAR B and I need to login again. I also see the jSessionId is different on login page of WAR A and WAR B. So somehow both the applications are not getting linked.
Shiro has a session mechanism which allows you clustering. See http://shiro.apache.org/session-management.html#SessionManagement-SessionClustering
Shiro has also an extension: buji-pac4j (https://github.com/bujiio/buji-pac4j) which new version (1.4.0) has a support for Stormpath.
So using both will help you achieve SSO with Stormpath.
I have multiple wars deployed in the same Jboss instance.
One of the wars will be hosting a Login page that will let the user sign in.
on sign in, the system creates a User Session. Now, the user tries to navigate another module 'http://site/notsigninmodule' the user session should be still available to the 'notsigninmodule' app.
Does anyone know how to achieve this? An example would be most useful
After days of research, this is what i came up with
Sharing sessions between web applications would violate the JavaEE Servlet specification,apparently.
"Session information is scoped only to the current web application (ServletContext), so information stored in one context will not be directly visible in another"
In 2013/2014 The following feature request JIRAs were opened for community versions.
https://issues.jboss.org/browse/JBAS-9545
https://issues.jboss.org/browse/WFLY-1891
Now, in the community version wildfly 9 This feature is available: https://docs.jboss.org/author/display/WFLY9/Web+(Undertow)+Reference+Guide
So my conclusion is that in jboss 5.1, i cannot achieve my rqm.
I opted to bringing in the jsp pages into the web app that creates the session.
This question already has an answer here:
Using .html files as JSPs
(1 answer)
Closed 8 years ago.
OS: Windows Server 2008 R2 SP1
Web Server Front-End: IIS 7.5
Web Server Back-End: Tomcat 5.5
AJP Connector is used to pass JSP content from IIS to Tomcat.
I have a number of project folders that get delivered for web consumption every so often. The web pages themselves end with the HTML extension. They need to be hosted on a Tomcat web server and I need session management control via a JSP application. That is, it's not enough for me to check if the session is active for Tomcat. I have some session control specific to the JSP application itself.
I suppose I could run a script which takes the multitude of HTML pages and converts them into JSP, but I'd like to keep things as "drag-and-drop" friendly as I can. I'd rather not make any changes directly to these project folders.
Is there a way I can enforce Tomcat to treat HTML pages as JSP pages? I.e., If, for example, I wanted to include JSP expressions inside the HTML pages, I could do that.
Thank you very much for any help.
Jsp pages are similar to html pages they are actually scripts included inside html pages, they are written in between <html></html> tag
so you can access jsp pages as html
Just save those pages with.html extension
I have a Java EE application, running under WebLogic 10.3.5 and Java 6.
I used to have a pdf help file, embedded in my war file, but I need to extract it from there and put it in an external directory (it can be in my same WebLogic domain directory).
I tried to put it in my WebLogic domain and then to < a href > it, but it seems that browsers have limitation and for security reason will not allow to download local file with a href or javascript.
This used to work only on a static HTML file saved on my computer but one the HTML page is deployed on the server, it seems not be possible.
Any idea how I can externalize my help.pdf file from my war file?
#limc is right
you should put this static file outside of Weblogic altogether as a file on an Apache web server
However, in Weblogic there is a feature of virtual directory mapping which allows you to declare a folder outside of the weblogic domain as a content store for any static stuff.
http://docs.oracle.com/cd/E11035_01/wls100/webapp/weblogic_xml.html#wp1039396
This entry goes in WEB-INF/weblogic.xml
<virtual-directory-mapping>
<local-path>c:/usr/mypdfs</local-path>
<url-pattern>/pdf/*</url-pattern>
</virtual-directory-mapping>
Although some application servers allow a Java EE app to reference a file outside the web container, in reality, your web app shouldn't have any knowledge about anything outside the web container, and as you have mentioned, it is indeed a huge security concern.
Depending on what you are trying to accomplish with this PDF file, if you merely want to expose this file on the web, do what #duffmo said and it will work fine. If you want the flexibility to modify this PDF file frequently without recreating the war file again and again, you may want to consider hosting this PDF file in some HTTP web server (Apache2, IIS, etc) and now you reference that link from your web app.
You need to put it at the root of your web context, in exactly the same place as HTML pages. Your web server will be able to find it there.