更新时间:2023-12-01 15:39:10
发生这种情况是因为您在web.xml的FacesServlet
配置中指定了/faces/*
.结果,任何请求的与指定的url模式不匹配的文件都将作为带有GET
请求的常规文件.
将该配置更改为以下内容,以确保所有与JSF相关的请求都通过FacesServlet:
This is happening because you've specified /faces/*
in your FacesServlet
configuration in the web.xml. As a result, any file requested that does not match the specified url pattern will be served as a regular file with a GET
request
Change that config to the following to ensure all JSF related requests go through the FacesServlet:
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
这可确保在返回客户端之前,将处理所有具有.xhtml扩展名的文件.
This ensures all files with .xhtml extension will be processed before returning to the client.
尽管上述解决方案可以解决当前的问题,但您遇到的问题却指向更深层次的安全问题.它指示具有浏览器的任何人都可以从Web应用程序部署以及文件系统其他部分中请求并下载工件.这是您需要研究的安全漏洞.选项取决于您的App服务器
While the above solution may solve the immediate problem, what you're experiencing points to a deeper security issue. It indicates that anyone with a browser can request and download artifacts from your web application deployment and possibly other parts of your filesystem. This is a security hole you will need to look into. The options vary depending on your App server