[JBoss Seam] - Injection threat on EntityQuery order
by doballve
While using framework EntityQuery we came up with some extensions that might be worth sharing.. the 1st is a security addition: the 'order' parameter gets directly concatenaded to the the query.. that would allow anything to get injected in the query, possibly resulting in a security threat - yes, it is not SQL, its HQL, but still, you do not want people messing up with your query, do you?
What we do is to limit the values that can be passed as 'order', like this:
| /**
| * Protect against SQL injection in the order parameter... it gets concatenated to SQL query!
| *
| * @param order String w/ 1 property path + 'ASC'/'DESC'
| * @throws IllegalArgumentException
| * if property path is not among ACCEPTABLE_ORDERBY_PARAMETERS
| */
| @Override
| public void setOrder(String order) {
| // validate parameter
| if (StringUtils.isNotBlank(order)) {
| String[] parts = order.trim().split("\\s", 2);
| parts[0] = StringUtils.trim(parts[0]);
| parts[1] = StringUtils.trim(parts[1]);
| boolean valid = true;
| List<String> acceptable = getAcceptableOrderByParameters();
| valid &= acceptable.contains(parts[0]);
| valid &= ("ASC".equalsIgnoreCase(parts[1]) || "DESC".equalsIgnoreCase(parts[1]));
| if (!valid) {
| throw new IllegalArgumentException("order: " + order);
| }
| } else {
| // blank = null
| order = null;
| }
|
| super.setOrder(order);
| }
|
| protected abstract List<String> getAcceptableOrderByParameters();
|
and then in the implementing class, defining something like:
| public final static List<String> ACCEPTABLE_ORDERBY_PARAMETERS = Arrays.asList(new String[] {
| "meeting.id",
| "meeting.type",
| "meeting.status",
| "meeting.timestamp",
| });
|
| @Override
| protected List<String> getAcceptableOrderByParameters() {
| return ACCEPTABLE_ORDERBY_PARAMETERS;
| }
|
In our case we felt it was a good thing to require the abstract method to be implemented. A less radical approach would be to provide a default method returning null and thus accepting any 'order', but letting people restrict it if they want to be safer..Consider it for future version of EntityQuery.
Diego
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4089154#4089154
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4089154
18 years, 6 months
[JBoss Portal] - Which libraries to deploy?
by pmurray
I am attempting to build a JSF portal in eclipse, for deployment onto jboss-portal-2.6.1.GA running on jboss-4.2.1.GA.
I am trying to work from scratch, but using HelloWorldJSFSunRIPortlet as a guide, so as to try to understand what does and does not get deployed. (I found by trial and error that the JSFSunRI version is the one that works).
In eclipse, I need to build a "JSF Library" and specify that it is the JSF implementation for the project. I am using the three jar files in
jboss-4.2.1.GA\server\DEV\deploy\jboss-web.deployer\jsf-libs
Is this correct? Should I be including all three? Do they need to be deployed along with my portlet, or will it be ok because they are in the lib directory? Where is this documented, if anywhere?
The sample app from JBoss (which works) has a lib directory containing four files - explode, jsf-portlet, portal-common-lib, and portal-api-lib. The war that it builds contains only jsf-portlet.jar .
Is there any way to know that a jsf portlet needs to include this file, apart from unpacking the sample app and finding out? Is that all you need?
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4089153#4089153
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4089153
18 years, 6 months
[JBoss Seam] - Re: Trinidad Support?
by smithbstl
I am sorry to hear about the trouble with Trinidad. I guess the integration still isn't quite up to snuff. I guess I will have to figure something else out for my UI troubles.
I would recommend Rich Faces with Seam. It works out of the box and gives you a decent amount of components. Some places where it is lacking compared to Trinidad are the data table, layout, and selectMenu options. With the latest release (3.1) Rich Faces has addressed the data table features somewhat (added sortable columns and scrolling) but not select one or select many tables yet. Also there are no where near as many panel choices for layouts and no selectMenus. I really miss all the select Menus Trinidad offers.
On the other hand, Rich Faces "just works" with Seam, no extra hassle and you know its all supposed to work together.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4089148#4089148
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4089148
18 years, 6 months
[JBoss Seam] - IllegalStateException restarting app in tomcat
by matt.drees
When I reload my app, I sometimes get get an IllegalStateException, and I can duplicate this in the hibernate2 example. After logging in and searching a little, a reload causes this:
| Sep 26, 2007 9:15:37 PM org.apache.catalina.session.StandardSession passivate
| SEVERE: Session attribute event listener threw exception
| java.lang.IllegalStateException: Attempted to invoke a Seam component outside the an initialized application
| at org.jboss.seam.contexts.Lifecycle.getApplication(Lifecycle.java:36)
| at org.jboss.seam.contexts.Lifecycle.beginCall(Lifecycle.java:84)
| at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:113)
| at org.jboss.seam.intercept.RootInterceptor.invokeAndHandle(RootInterceptor.java:84)
| at org.jboss.seam.intercept.JavaBeanInterceptor.callPrePassivate(JavaBeanInterceptor.java:135)
| at org.jboss.seam.intercept.JavaBeanInterceptor.invoke(JavaBeanInterceptor.java:77)
| at org.jboss.seam.example.hibernate.HotelSearchingAction_$$_javassist_2.sessionWillPassivate(HotelSearchingAction_$$_javassist_2.java)
| at org.apache.catalina.session.StandardSession.passivate(StandardSession.java:764)
| at org.apache.catalina.session.StandardManager.doUnload(StandardManager.java:515)
| at org.apache.catalina.session.StandardManager.unload(StandardManager.java:462)
| at org.apache.catalina.session.StandardManager.stop(StandardManager.java:666)
| at org.apache.catalina.core.StandardContext.stop(StandardContext.java:4345)
| at org.apache.catalina.core.StandardContext.reload(StandardContext.java:2984)
| at org.apache.catalina.manager.ManagerServlet.reload(ManagerServlet.java:906)
| at org.apache.catalina.manager.HTMLManagerServlet.reload(HTMLManagerServlet.java:473)
| ...
|
It looks like RootInterceptor tries to set up contexts if they don't exist, but at this point in the game, there is no Seam application available so it bombs. Not sure if this is a tomcat-only problem or if it will happen on other appservers.
As an aside, org.jboss.seam.example.hibernate.HotelSearchingAction is not serializable, which muddies the logs with stacktraces.
Thanks
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4089138#4089138
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4089138
18 years, 6 months