6:28 p.m.
[
https://issues.jboss.org/browse/RF-13098?page=com.atlassian.jira.plugin.s...
]
Brian Leathem commented on RF-13098:
------------------------------------
I discussed the consequences of whitelisting
org.jboss.weld.bean.proxy.util.SerializableClientProxy with [~pmuir] on IRC, where he
pointed out:
{quote}
[CDI] won't deserialize *arbitrary* classes, only classes that are beans because the
SerializableClientProxy can only look up a bean in CDI so the class must be a CDI bean
{quote}
Bean classes that that are allowable for deserialisation by CDI are classes that exist in
a jar with a beans.xml marker. This excludes classes from arbitrary 3rd party libraries
(unless they in turn have a beans.xml marker file present).
We will further investigate if we can discover the proxied class for the serialized bean
data, but in the mean time adding the SerializableClientProxy class to the
resource-serialization.properties should be considered a viable workaround. Just be sure
to make sure you don't have any vulnerable classes in your CDI-enabled jars.
Regression: mediaOutput broken for CDI MediaData beans
------------------------------------------------------
Key: RF-13098
URL: https://issues.jboss.org/browse/RF-13098
Project: RichFaces
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: component-a4j-core
Affects Versions: 4.3.3
Reporter: Marek Schmidt
Assignee: Brian Leathem
Labels: regression
Fix For: 4.3.4
Original Estimate: 1 hour
Remaining Estimate: 1 hour
https://issues.jboss.org/browse/RF-13089 introduced a regression for a4j:mediaOutput
component
Having a
{code}
<a4j:mediaOutput element="img" cacheable="true"
session="true" createContent="#{mediaBean.paint}"
value="#{mediaData}" mimeType="image/jpeg"/>
{code}
with mediaData being a CDI bean, e.g.
{code}
@javax.inject.Named("mediaData")
@javax.enterprise.context.RequestScoped
public class MediaData implements Serializable
{code}
the following exception occurs:
{code}10:39:27,997 SEVERE [org.richfaces.log.Resource] (http-/127.0.0.1:8080-1) Input
error for deserialize data : java.io.InvalidClassException: Unauthorized deserialization
attempt; org.jboss.weld.bean.proxy.util.SerializableClientProxy
at
org.richfaces.util.LookAheadObjectInputStream.resolveClass(LookAheadObjectInputStream.java:93)
[richfaces-core-impl-4.3.3.Final.jar:4.3.3.Final]
at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1610)
[rt.jar:1.7.0_25]
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1515)
[rt.jar:1.7.0_25]
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1769)
[rt.jar:1.7.0_25]
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348)
[rt.jar:1.7.0_25]
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1989)
[rt.jar:1.7.0_25]
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1913)
[rt.jar:1.7.0_25]
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1796)
[rt.jar:1.7.0_25]
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348)
[rt.jar:1.7.0_25]
at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1704)
[rt.jar:1.7.0_25]
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1342)
[rt.jar:1.7.0_25]
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370)
[rt.jar:1.7.0_25]
at org.richfaces.util.Util.decodeObjectData(Util.java:237)
[richfaces-core-impl-4.3.3.Final.jar:4.3.3.Final]
at
org.richfaces.resource.DefaultCodecResourceRequestData.getData(DefaultCodecResourceRequestData.java:97)
[richfaces-core-impl-4.3.3.Final.jar:4.3.3.Final]
at
org.richfaces.resource.ResourceFactoryImpl.createResource(ResourceFactoryImpl.java:337)
[richfaces-core-impl-4.3.3.Final.jar:4.3.3.Final]
at
org.richfaces.resource.ResourceHandlerImpl.handleResourceRequest(ResourceHandlerImpl.java:156)
[richfaces-core-impl-4.3.3.Final.jar:4.3.3.Final]
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:591)
[jboss-jsf-api_2.1_spec-2.1.19.1.Final-redhat-1.jar:2.1.19.1.Final-redhat-1]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
[jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
[jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
[jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
[jboss-as-web-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
[jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
[jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
[jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336)
[jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
[jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
[jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920)
[jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]
{code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
4617
days inactive
4617
days old
richfaces-issues@lists.jboss.org
0 comments
1 participants
participants (1)
-
Brian Leathem (JIRA)