Categories
SEAM Tomcat

Restrict access to inner Facelets with SEAM

Sometimes you could have some facelets, which are no entry-sites and which should never be called directly by the user. Typical types are template-files.
Seam provides here an easy function to restrict the access to such pages. You can define this restriction in the pages.xml or the associated *.page.xml.
For the pages.xml you have to add:

1
2
3
4
5
6
7
8
< ?xml version="1.0" encoding="UTF-8"?>
<pages xmlns="http://jboss.com/products/seam/pages" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
...
	<page view-id="/templates/template.xhtml">
		<restrict />
	</page>
...
</pages>

Because you also can use wildcards, it is also possible to restrict a whole directory:

1
2
3
4
5
6
7
8
< ?xml version="1.0" encoding="UTF-8"?>
<pages xmlns="http://jboss.com/products/seam/pages" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
...
	<page view-id="/templates/*">
		<restrict />
	</page>
...
</pages>

Seam will now throw an exception, if a user will access this page, but instead we want to send the typical HTTP-error 403. So we have to define some more rules in pages.xml:

1
2
3
4
5
6
7
8
9
10
11
< ?xml version="1.0" encoding="UTF-8"?>
<pages xmlns="http://jboss.com/products/seam/pages" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
...
	<exception class="org.jboss.seam.security.NotLoggedInException">
		<http -error error-code="403" />
	</exception>
	<exception class="org.jboss.seam.security.AuthorizationException">
		<http -error error-code="403" />
	</exception>
...
</pages>

Another way would be an own Servlet or Servlet-Filter, which would send the errorcode directly.

Categories
Javascript SEAM XHTML

The XHTML and document.write / innerHTML story

If you use XHTML as HTML-Standard, which is recommended, to build your sites and you use JavaScript, you could have problems with document.write. Especially third-party JavaScript extensions like GoogleMaps or CKEditor use document.write to easily inject own JavaScript code.

But this is denied by specification for XHTML-Documents delivered with content-type application/xhtml+xml instead of text/html. You will receive the DOM Exception #7 by calling document.write or while using innerHTML (Example in Safari: “Error: NO_MODIFICATION_ALLOWED_ERR: DOM Exception 7”; in Firefox: uncaught exception: [Exception… “Component returned failure code: 0x80004003 (NS_ERROR_INVALID_POINTER) [nsIDOMNSHTMLElement.innerHTML]”  nsresult: “0x80004003 (NS_ERROR_INVALID_POINTER)”  location: … ]). The solution is to deliver the Website with content-type “text/html” instead of “application/xhtml+xml”.
Errormessage Safari
In SEAM using Facelets (with JSF) as View, you can set the content-type in the f:view-Tag. This would look like:

1
2
3
4
5
...
<f :view contentType="text/html">
....
</f>
...
Categories
SEAM Tomcat

Defining a ServletFilter – the SEAM way

SEAM doesn’t only extends JSF and Facelets, but also gives you a possibility to define other resources or components via annotations. To define a simple Servlet Filter you only need to annotate a class with the @Filter-annotation. There is no need to extend the web.xml or other.

One simple Filter would be:

1
2
3
4
5
6
7
8
9
10
@Scope(ScopeType.APPLICATION)
@Name("myFilter")
@Install(precedence = Install.FRAMEWORK)
@BypassInterceptors
@Filter(within = { "org.jboss.seam.web.rewriteFilter" })
public class MyFilter extends AbstractFilter {
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        chain.doFilter(request, response);
    }
}

With the parameters within or around of the @Filter annotation, you can define when you filter will be called.