Secure JSF Application – why you should always define a servlet mapping

If you deploy a JSF application in WildFly 8, you can omit to define the JSF serlvet mapping. In this case three default mappings will be active out of the box.

  • <context-root>/faces/*
  • <context-root>/*.jsf
  • <context-root>/*.faces

Tested on WildFly 8.0.0.CR1 and JBoss EAP 6.2.0.GA

This behavior is not mentioned in the JSF 2.1 spec. But it explicitly allows implementations to use proprietary means to invoke the JSF lifecycle.

In addition to FacesServlet, JSF implementations may support other ways to invoke the JavaServer Faces request processing lifecycle, but applications that rely on these mechanisms will not be portable.

This default mapping can be problematic as it provides several path to access resources within your web application. Especially if you use security constraints to protect parts of your application. For instance if you restrict access to <context-root>/secure/* using a security constraint in your web.xml, web resources can still be accessed via <context-root>/faces/.

To prevent this issue it is always recommendable to define a servlet mapping for your JSF based application. If you define a serlvet mapping for JSF, WildFly will stop serving data for the default mappings. Just pick your preferred mapping and define it in the web.xml file as shown below:

&lt;servlet&gt;
    &lt;servlet-name&gt;Faces Servlet&lt;/servlet-name&gt;
    &lt;servlet-class&gt;javax.faces.webapp.FacesServlet&lt;/servlet-class&gt;
    &lt;load-on-startup&gt;1&lt;/load-on-startup&gt;
&lt;/servlet&gt;
&lt;servlet-mapping&gt;
    &lt;servlet-name&gt;Faces Servlet&lt;/servlet-name&gt;
    &lt;url-pattern&gt;*.xhtml&lt;/url-pattern&gt;
&lt;/servlet-mapping&gt;
&lt;/code&gt;

WildFly will stop serving files via its defaults mappings. Of course if you specify more than one mapping, you will have to add security constraints accordingly.

Example

This maven project provides a minimalistic application that demonstrates this issue. The index.xhtml file in the /src/main/webapp/ directory is a JSF file. We restrict access to this file with a security constraint section in the web.xml file without any explict servlet mapping of the Faces Servlet:

&lt;security-constraint&gt;
    &lt;web-resource-collection&gt;
        &lt;web-resource-name&gt;secured index&lt;/web-resource-name&gt;
        &lt;url-pattern&gt;/index.jsf&lt;/url-pattern&gt;
    &lt;/web-resource-collection&gt;
    &lt;auth-constraint&gt;
        &lt;role-name&gt;admin&lt;/role-name&gt;
    &lt;/auth-constraint&gt;
&lt;/security-constraint&gt;
 
&lt;security-role&gt;
    &lt;role-name&gt;admin&lt;/role-name&gt;
&lt;/security-role&gt;

If you try to access the file by using the three patterns of the default mapping, you get the following responses:

In this case only the request http://localhost:8080/secure-jsf/index.jsf is restricted by the security constraint. All other default mappings are not secured. To prevent this security issue you have to configure additional security constraints for all default mappings or to configure an explicit mapping for the JSF servlet in order to disable the default mappings.