Thursday, February 24, 2011

Beware of Hackers - Keep ADF Task Flows inside WEB-INF

While doing reviews for ADF projects, time to time I can see developers decide to store ADF Task Flows outside WEB-INF folder, directly under Public HTML directory. This is driven by better structuring approach, developers want to see ADF Task Flows next to JSF Fragments or Pages inside application structure. However, security aspect is forgotten - ADF Task Flow is XML file and if it will reside outside WEB-INF folder, it will be directly accessible from the user browser. Then someone will be able to download XML source code for all ADF Task Flows and read your Controller definition.

Download sample application, where we have one ADF Task Flow outside WEB-INF and one inside: TaskFlowWebInfAccess.zip. Both ADF Task Flows are based on fragments and are rendered as regions:


From the application structure view, we can see that jobs-flow-two ADF Task Flow is outside WEB-INF folder:


This ADF Task Flow implements Train wizard steps:


Because we have it outside WEB-INF folder, its directly accessible by app-context-root/flows/jobs-flow-two.xml:


If you want to sleep well, always keep ADF Task Flows inside WEB-INF folder ! :)

1 comment: