[richfaces-issues] [JBoss JIRA] (RF-13195) Showcase: Unauthorized deserialization attempt with MyFaces

Tuesday, 17 September 2013



     [
https://issues.jboss.org/browse/RF-13195?page=com.atlassian.jira.plugin.s...
]

Brian Leathem resolved RF-13195.
--------------------------------

    Resolution: Done


Added javax.faces.view.Location to the resrouce-serialisation.properties file
                
...
 Showcase: Unauthorized deserialization attempt with MyFaces
 -----------------------------------------------------------

                 Key: RF-13195
                 URL: https://issues.jboss.org/browse/RF-13195
             Project: RichFaces
          Issue Type: Bug
      Security Level: Public(Everyone can see) 
          Components: examples
    Affects Versions: 4.3.4
         Environment: Showcase 4.3.4.Final
            Reporter: Pavol Pitonak
             Fix For: 4.3.4


 # deploy richfaces-showcase-4.3.4.Final-myfaces.war to Tomcat 7.0.42
 # open sample for media output
 result:
 * console log contains this exception:
 {quote}
 Sep 16, 2013 4:55:40 PM org.richfaces.util.Util decodeObjectData
 SEVERE: Input error for deserialize data 
 java.io.InvalidClassException: Unauthorized deserialization attempt;
javax.faces.view.Location
 at
org.richfaces.util.LookAheadObjectInputStream.resolveClass(LookAheadObjectInputStream.java:97)
 at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1610)
 at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1515)
 at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1771)
 at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348)
 at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370)
 at
org.apache.myfaces.view.facelets.el.ContextAwareTagMethodExpression.readExternal(ContextAwareTagMethodExpression.java:162)
 at java.io.ObjectInputStream.readExternalData(ObjectInputStream.java:1837)
 at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1796)
 at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348)
 at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1704)
 at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1342)
 at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370)
 at org.richfaces.util.Util.decodeObjectData(Util.java:237)
 at
org.richfaces.resource.DefaultCodecResourceRequestData.getData(DefaultCodecResourceRequestData.java:97)
 at
org.richfaces.resource.ResourceFactoryImpl.createResource(ResourceFactoryImpl.java:337)
 at
org.richfaces.resource.ResourceHandlerImpl.handleResourceRequest(ResourceHandlerImpl.java:156)
 at javax.faces.webapp.FacesServlet.service(FacesServlet.java:191)
 at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
 at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
 at org.richfaces.webapp.PushFilter.doFilter(PushFilter.java:129)
 at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
 at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
 at org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(RewriteFilter.java:172)
 at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
 at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
 at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
 at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
 at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
 at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
 at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
 at java.lang.Thread.run(Thread.java:724)
 {quote} 
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

[richfaces-issues] [JBoss JIRA] (RF-13195) Showcase: Unauthorized deserialization attempt with MyFaces