August 2007 - seam-issues - Jboss List Archives

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-1137) Potentially large security hole in Seam Captcha implementation

by Ian Hlavats (JIRA)

Potentially large security hole in Seam Captcha implementation -------------------------------------------------------------- Key: JBSEAM-1137 URL: http://jira.jboss.com/jira/browse/JBSEAM-1137 Project: JBoss Seam Issue Type: Bug Components: Security Affects Versions: 1.2.0.GA Environment: Any Reporter: Ian Hlavats I have been experiencing "holes" in the Seam captcha integration recently. The Seam documentation (section 21.1.1) recommends client-side state saving for JSF. The following scenario should point out a potential security issue with this approach. Suppose I have a JSF page with a typical user comment form on it that does not use Seam's captcha component. Now a malicious user scrapes my JSF page and stores a local copy on his computer, serialized UI component tree and all. In the meantime, I add Seam's captcha component to my JSF page, trusting it to cause a validation error when the form is submitted without the correct captcha text. Can the malicious user can now submit the previous copy of my form without the captcha component in the tree? I am using the MyFaces 1.1.4 JSF implementation. Thanks. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

17 years, 5 months

5
10
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-1723) Add jboss support to spring example

by Michael Youngstrom (JIRA)

Add jboss support to spring example ----------------------------------- Key: JBSEAM-1723 URL: http://jira.jboss.com/jira/browse/JBSEAM-1723 Project: JBoss Seam Issue Type: Feature Request Components: Spring Affects Versions: 2.0.0.CR1 Reporter: Michael Youngstrom Assigned To: Michael Youngstrom Fix For: 2.0.0.GA The spring example needs to be upgraded with jboss support when jboss .war support is added to the common example build. The jboss build should only need to have a different set of dependencies that don't conflict with the jboss common libraries. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

17 years, 5 months

1
2
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-1776) Exception handling redirects to incorrect URL

by Wolfgang Schwendt (JIRA)

Exception handling redirects to incorrect URL --------------------------------------------- Key: JBSEAM-1776 URL: http://jira.jboss.com/jira/browse/JBSEAM-1776 Project: JBoss Seam Issue Type: Bug Components: Core Affects Versions: 2.0.0.BETA1 Environment: Seam version used: CVS Based Seam 2 JBoss AS 4.2.1 GA Reporter: Wolfgang Schwendt Priority: Critical How to reproduce: Deploy the seamdiscs example with the facelets.DEVELOPMENT config parameter set to false in web.xml. (Note: in web.xml, as checked out from the Seam CVS repository, facelets.DEVELOPMENT is set to true, but we need to set it to false in order to test how exceptions are handled). After deployment access the following URL: http://127.0.0.1:8080/seam-discs/artists.seam?artistId=200&actionOutcome=... In this URL the artistId is deliberately set to a value for which no entity exists in the database. The intention is to trigger an EntityNotFoundException when org.jboss.seam.framework.Home tries to load the artist (entity instance) with id 200. What happens after above URL is accessed: Seam redirects to http://127.0.0.1:8080/seam-discs/artist.seam/error.xhtml?cid=6 But it actually is supposed to redirect to http://127.0.0.1:8080/seam-discs/error.seam?cid=6 , given the exception definition in pages.xml for the seamdiscs example. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

17 years, 5 months

2
6
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-1724) Add support for build a jboss war to common example build system

by Michael Youngstrom (JIRA)

Add support for build a jboss war to common example build system ---------------------------------------------------------------- Key: JBSEAM-1724 URL: http://jira.jboss.com/jira/browse/JBSEAM-1724 Project: JBoss Seam Issue Type: Feature Request Components: Examples Affects Versions: 2.0.0.CR1 Reporter: Michael Youngstrom Assigned To: Pete Muir Currently the example build system will only deploy and create for jboss a .ear. It would be nice if the example build system could support the creation and deployment of a jboss .war as well. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

17 years, 5 months

2
3
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-1667) Validators not working for ValueBindings from Trinidad

by Pete Muir (JIRA)

Validators not working for ValueBindings from Trinidad ------------------------------------------------------ Key: JBSEAM-1667 URL: http://jira.jboss.com/jira/browse/JBSEAM-1667 Project: JBoss Seam Issue Type: Bug Components: Core, EL, JSF Affects Versions: 2.0.0.BETA1 Reporter: Pete Muir Fix For: 2.0.0.CR1 When a ValueBinding from Trinidad is run through Validators invalidValues=null (even when there are invalidValues). Easy to replicate, just add @Length(max=5) to org.jboss.seam.example.seamdiscs.model.Artist.name, start up the seamdiscs example, log in, click on any artist from the Artists page, make sure they have a name longer than 5, and hit save. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

17 years, 5 months

4
3
0 / 0

[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-217) Dont use seam.properties for detection of seam

by Petr Ferschmann (JIRA)

[ http://jira.jboss.com/jira/browse/JBSEAM-217?page=comments#action_12371281 ] Petr Ferschmann commented on JBSEAM-217: ---------------------------------------- to Rune Larsen: Problem is that in the whole application there are so many classes and jars that looking thru all of them would take so many time. So Seam marks jars and directories with classes that should be looked throw (one by one). So instead of walking thru milions of classes it walks thru just few hundreds or thousands. > Dont use seam.properties for detection of seam > ---------------------------------------------- > > Key: JBSEAM-217 > URL: http://jira.jboss.com/jira/browse/JBSEAM-217 > Project: JBoss Seam > Issue Type: Bug > Affects Versions: 1.0 beta 2 > Reporter: Rune Larsen > > seam is based on the convention-over-configuration philosophy. Therefore it is utterly unintuitive that a missing, empty seam.properties causes the entire framework to not function. And it even fails in a way, where it is almost impossible to guess what is wrong. > So get rid of the stupid dependency of seam.properties or at the very least provide som useful error logging. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

17 years, 5 months

1
0
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-1760) Latest fails to deploy in Websphere

by Michael Youngstrom (JIRA)

Latest fails to deploy in Websphere ----------------------------------- Key: JBSEAM-1760 URL: http://jira.jboss.com/jira/browse/JBSEAM-1760 Project: JBoss Seam Issue Type: Bug Affects Versions: 2.0.0.CR1 Reporter: Michael Youngstrom Fix For: 2.0.0.CR1 The latest from head fails to deploy to Websphere. The same project deploys just fine in tomcat running the ibm jdk so it would appear it is not just a difference in ibm jdk vs sun jdk. Any ideas? java.lang.TypeNotPresentException: Type javax.ejb.Stateful not present at com.ibm.oti.reflect.AnnotationHelper.getAnnotation(AnnotationHelper.java:38) at com.ibm.oti.reflect.AnnotationHelper.getDeclaredAnnotations(AnnotationHelper.java:50) at java.lang.Class.getDeclaredAnnotations(Class.java:1620) at java.lang.Class.getAnnotations(Class.java:1581) at java.lang.Class.getAnnotation(Class.java:1561) at java.lang.Class.isAnnotationPresent(Class.java:1648) at org.jboss.seam.init.Initialization.installScannedComponentAndRoles(Initialization.java:714) at org.jboss.seam.init.Initialization.scanForComponents(Initialization.java:661) at org.jboss.seam.init.Initialization.init(Initialization.java:514) at org.jboss.seam.servlet.SeamListener.contextInitialized(SeamListener.java:34) at com.ibm.ws.wswebcontainer.webapp.WebApp.notifyServletContextCreated(WebApp.java:637) at com.ibm.ws.webcontainer.webapp.WebApp.commonInitializationFinish(WebApp.java:295) at com.ibm.ws.wswebcontainer.webapp.WebApp.initialize(WebApp.java:285) at com.ibm.ws.wswebcontainer.webapp.WebGroup.addWebApplication(WebGroup.java:88) at com.ibm.ws.wswebcontainer.VirtualHost.addWebApplication(VirtualHost.java:157) at com.ibm.ws.wswebcontainer.WebContainer.addWebApp(WebContainer.java:655) at com.ibm.ws.wswebcontainer.WebContainer.addWebApplication(WebContainer.java:608) at com.ibm.ws.webcontainer.component.WebContainerImpl.install(WebContainerImpl.java:335) at com.ibm.ws.webcontainer.component.WebContainerImpl.start(WebContainerImpl.java:551) at com.ibm.ws.runtime.component.ApplicationMgrImpl.start(ApplicationMgrImpl.java:1312) at com.ibm.ws.runtime.component.DeployedApplicationImpl.fireDeployedObjectStart(DeployedApplicationImpl.java:1129) at com.ibm.ws.runtime.component.DeployedModuleImpl.start(DeployedModuleImpl.java:569) at com.ibm.ws.runtime.component.DeployedApplicationImpl.start(DeployedApplicationImpl.java:814) at com.ibm.ws.runtime.component.ApplicationMgrImpl.startApplication(ApplicationMgrImpl.java:965) at com.ibm.ws.runtime.component.ApplicationMgrImpl$AppInitializer.run(ApplicationMgrImpl.java:2131) at com.ibm.wsspi.runtime.component.WsComponentImpl$_AsynchInitializer.run(WsComponentImpl.java:341) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1469) Caused by: java.lang.ClassNotFoundException: javax.ejb.Stateful at java.lang.Class.forNameImpl(Native Method) at java.lang.Class.forName(Class.java:163) at com.ibm.oti.reflect.AnnotationHelper.getAnnotation(AnnotationHelper.java:33) ... 26 more -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

17 years, 5 months

2
7
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-1608) Seam application can not start because of faces-config configuration in seam-ui.jar

by Joshua Jackson (JIRA)

Seam application can not start because of faces-config configuration in seam-ui.jar ------------------------------------------------------------------------------------ Key: JBSEAM-1608 URL: http://jira.jboss.com/jira/browse/JBSEAM-1608 Project: JBoss Seam Issue Type: Bug Components: JSF Affects Versions: 2.0.0.BETA1 Environment: Glassfish build b53-rc Reporter: Joshua Jackson Fix For: 2.0.0.CR1 Here is the stacktrace: Exception sending context initialized event to listener instance of class com.sun.faces.config.ConfigureListener javax.faces.FacesException: Can't parse configuration file: jar:file:/D:/javastuff/glassfish/domains/domain1/applications/j2ee-apps/seam/seam_war/WEB-INF/lib/jboss-seam-ui.jar!/META-INF/faces-config.xml: Error at line 12 column 18: The content of element type "validator" must match "(description*,display-name*,icon*,validator-id,validator-class,attribute*,property*)". at com.sun.faces.config.ConfigureListener.parse(ConfigureListener.java:1438) at com.sun.faces.config.ConfigureListener.contextInitialized(ConfigureListener.java:348) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4515) at org.apache.catalina.core.StandardContext.start(StandardContext.java:5176) at com.sun.enterprise.web.WebModule.start(WebModule.java:324) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:973) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:957) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:688) at com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:1576) at com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:1217) at com.sun.enterprise.web.WebContainer.loadJ2EEApplicationWebModules(WebContainer.java:1142) at com.sun.enterprise.server.TomcatApplicationLoader.doLoad(TomcatApplicationLoader.java:141) at com.sun.enterprise.server.AbstractLoader.load(AbstractLoader.java:243) at com.sun.enterprise.server.ApplicationManager.applicationDeployed(ApplicationManager.java:336) at com.sun.enterprise.server.ApplicationManager.applicationDeployed(ApplicationManager.java:210) at com.sun.enterprise.server.ApplicationManager.applicationDeployed(ApplicationManager.java:645) at com.sun.enterprise.admin.event.AdminEventMulticaster.invokeApplicationDeployEventListener(AdminEventMulticaster.java:918) at com.sun.enterprise.admin.event.AdminEventMulticaster.handleApplicationDeployEvent(AdminEventMulticaster.java:902) at com.sun.enterprise.admin.event.AdminEventMulticaster.processEvent(AdminEventMulticaster.java:458) at com.sun.enterprise.admin.event.AdminEventMulticaster.multicastEvent(AdminEventMulticaster.java:173) at com.sun.enterprise.admin.server.core.DeploymentNotificationHelper.multicastEvent(DeploymentNotificationHelper.java:308) at com.sun.enterprise.deployment.phasing.DeploymentServiceUtils.multicastEvent(DeploymentServiceUtils.java:223) at com.sun.enterprise.deployment.phasing.ServerDeploymentTarget.sendStartEvent(ServerDeploymentTarget.java:298) at com.sun.enterprise.deployment.phasing.ApplicationStartPhase.runPhase(ApplicationStartPhase.java:132) at com.sun.enterprise.deployment.phasing.DeploymentPhase.executePhase(DeploymentPhase.java:108) at com.sun.enterprise.deployment.phasing.PEDeploymentService.executePhases(PEDeploymentService.java:905) at com.sun.enterprise.deployment.phasing.PEDeploymentService.start(PEDeploymentService.java:577) at com.sun.enterprise.deployment.phasing.PEDeploymentService.start(PEDeploymentService.java:621) at com.sun.enterprise.admin.mbeans.ApplicationsConfigMBean.start(ApplicationsConfigMBean.java:744) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at com.sun.enterprise.admin.MBeanHelper.invokeOperationInBean(MBeanHelper.java:375) at com.sun.enterprise.admin.MBeanHelper.invokeOperationInBean(MBeanHelper.java:358) at com.sun.enterprise.admin.config.BaseConfigMBean.invoke(BaseConfigMBean.java:464) at com.sun.jmx.mbeanserver.DynamicMetaDataImpl.invoke(DynamicMetaDataImpl.java:213) at com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220) at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:815) at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784) at sun.reflect.GeneratedMethodAccessor17.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at com.sun.enterprise.admin.util.proxy.ProxyClass.invoke(ProxyClass.java:90) at $Proxy1.invoke(Unknown Source) at com.sun.enterprise.admin.server.core.jmx.SunoneInterceptor.invoke(SunoneInterceptor.java:304) at com.sun.enterprise.interceptor.DynamicInterceptor.invoke(DynamicInterceptor.java:174) at com.sun.enterprise.deployment.client.DeploymentClientUtils.startApplication(DeploymentClientUtils.java:145) at com.sun.enterprise.deployment.client.DeployAction.run(DeployAction.java:537) at java.lang.Thread.run(Thread.java:595) -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

17 years, 5 months

5
15
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-1607) s:graphicImage should use a more unique URL

by Shane Bryzak (JIRA)

s:graphicImage should use a more unique URL ------------------------------------------- Key: JBSEAM-1607 URL: http://jira.jboss.com/jira/browse/JBSEAM-1607 Project: JBoss Seam Issue Type: Feature Request Components: JSF Affects Versions: 2.0.0.BETA1 Reporter: Shane Bryzak Assigned To: Pete Muir When using s:graphicImage the image URL looks something like this: /seam/resource/graphicImage/org.jboss.seam.ui.GraphicImageStore.41.png The problem here is that when the container is restarted, the index is reset to 0 which means that browsers may use a cached version of a previously loaded image (which may be the wrong image). I suggest that we use a UID value for this instead to guarantee uniqueness. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

17 years, 5 months

1
1
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-1744) s:convertEntity fails with an java.lang.IllegalArgumentException: Unknown entity: my.Entity_$$_javassist_3

by Matthias M. (JIRA)

s:convertEntity fails with an java.lang.IllegalArgumentException: Unknown entity: my.Entity_$$_javassist_3 ---------------------------------------------------------------------------------------------------------- Key: JBSEAM-1744 URL: http://jira.jboss.com/jira/browse/JBSEAM-1744 Project: JBoss Seam Issue Type: Bug Components: Core Affects Versions: 2.0.0.BETA1 Environment: EJB3, Seam 2.0.0.BETA1, Hibernate Reporter: Matthias M. <s:convertEntity/> fails on 'getAsObject' with an IllegalArgumentException The code which is responsible for this bug is identified : The method forClass(...) returns a new Entity with the given parameter set - should be the correctly resolved 'entityClass'. <code> public class Entity extends Model { .......... public static Entity forClass(Class clazz) { if ( !Contexts.isApplicationContextActive() ) { throw new IllegalStateException("No application context active"); } Class entityClass = Seam.getEntityClass(clazz); if (entityClass==null) { throw new IllegalArgumentException("Not an entity class: " + clazz.getName()); } String name = getModelName(entityClass); Model model = (Model) Contexts.getApplicationContext().get(name); if ( model==null || !(model instanceof Entity) ) { Entity entity = new Entity(clazz); Contexts.getApplicationContext().set(name, entity); return entity; } else { return (Entity) model; } } ............. </code> -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

17 years, 5 months

2
3
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

seam-issues August 2007