org.ploin.web.faces.phaselistener
Class BlockSaveListener
java.lang.Object
org.ploin.web.faces.phaselistener.BlockSaveListener
- All Implemented Interfaces:
- Serializable, EventListener, javax.faces.event.PhaseListener
public class BlockSaveListener
- extends Object
- implements javax.faces.event.PhaseListener
This is a workarround for a security leck in IceFaces 1.7.2 and IceFaces 1.8
With the "block" servlet it is possible to fetch
files under WEB-INF. With the following request it is possible to
read the web.xml and other files under WEB-INF.
http://localhost:8080/myProject/block/WEB-INF/web.xml
To protect your WEB-INF directory you have to regist this PhaseListener
for the RESTORE_VIEW Phase in the faces-config.xml. Here is an Example
org.ploin.web.faces.phaselistener.BlockSaveListener
This PhaseListener is a part of ploinFaces 1.4.X (http://www.ploinfaces.org).
- Author:
- Robert Reiz (reiz@ploin.de)
$Date: 2009-04-14 11:07:20 +0200 (Tue, 14 Apr 2009) $
- See Also:
- Serialized Form
|
Method Summary |
void |
afterPhase(javax.faces.event.PhaseEvent event)
|
void |
beforePhase(javax.faces.event.PhaseEvent event)
|
javax.faces.context.FacesContext |
getF()
|
javax.faces.event.PhaseId |
getPhaseId()
|
void |
setF(javax.faces.context.FacesContext f)
|
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
BlockSaveListener
public BlockSaveListener()
afterPhase
public void afterPhase(javax.faces.event.PhaseEvent event)
- Specified by:
afterPhase in interface javax.faces.event.PhaseListener
beforePhase
public void beforePhase(javax.faces.event.PhaseEvent event)
- Specified by:
beforePhase in interface javax.faces.event.PhaseListener
getPhaseId
public javax.faces.event.PhaseId getPhaseId()
- Specified by:
getPhaseId in interface javax.faces.event.PhaseListener
getF
public javax.faces.context.FacesContext getF()
setF
public void setF(javax.faces.context.FacesContext f)
Copyright © 2012 PLOIN GmbH. All Rights Reserved.