Thursday, February 24, 2011

JDev/ADF sample - Beware of Hackers - Keep ADF Task Flows inside WEB-INF

  • Beware of Hackers - Keep ADF Task Flows inside WEB-INF. While doing reviews for ADF projects, time to time I can see developers decide to store ADF Task Flows outside WEB-INF folder, directly under Public HTML directory. This is driven by better structuring approach, developers want to see ADF Task Flows next to JSF Fragments or Pages inside application structure. However, security aspect is forgotten - ADF Task Flow is XML file and if it will reside outside WEB-INF folder, it will be directly accessible from the user browser. Then someone will be able to download XML source code for all ADF Task Flows and read your Controller definition.
    Download - TaskFlowWebInfAccess.zip

2 comments:

Jaya Prakash said...

Its an important point to be noted while developing secured web applications . Can you share the URL of how to access task flow xml file
It would be a great help .

Andrejus Baranovskis said...

Hi,

See example here - http://andrejusb.blogspot.com/2011/02/beware-of-hackers-keep-adf-task-flows.html

Andrejus