March 2010 - seam-issues - Jboss List Archives

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-2450) OWASP / New Session after Login

by ahus1 (JIRA)

OWASP / New Session after Login ------------------------------- Key: JBSEAM-2450 URL: http://jira.jboss.com/jira/browse/JBSEAM-2450 Project: JBoss Seam Issue Type: Feature Request Affects Versions: 2.0.0.GA Environment: Linux 2.6, jetty 6.1.5, java 6 Reporter: ahus1 Hello, OWASP has compiled a "top 10" vulnerablilities for web applications. One suggestion against session hijacking was the following: Start a new HTTP-Session after a successful login: "Consider regenerating a new session upon successful authentication or privilege level change." http://www.owasp.org/index.php/Top_10_2007-A7 Therefore there should be a (configurable?) switch to choose "continue with new session ID after successful log on" I have thought of invalidating the current HTTP session, creating a new one and copying all elements from the old session to the new session in my Authenticator. But Seam 2.0.0 doesn't allow this: When I use the lowlevel functions this is blocked by IllegalStateException("Please end the HttpSession via Seam.invalidateSession()") in Lifecyle. When I use Seam.invalidateSession(), the session is only destroyed at the end of the request and I am unable to copy any objects in my Authenticator as the new session doesn't exist yet. The workaround I have come up with is a filter, that destroys the complete session before the log in. This is not very elegant, but it works for me as I don't have i.e. a shoping basket that I'd like to preserve. A "nice" implementation in seam shouldn't have this limitation. shane.bryzak(a)jboss.com asked for this ticket to be assigned to her. The Java Class: Code: /** * This filter enforces a new session whenever there is a POST, should be mapped * to the URL of the login page in your web.xml * @author Alexander Schwartz 2007 */ public class NewSessionFilter implements Filter { private Log log = LogFactory.getLog(NewSessionFilter.class); private String url; public void destroy() { // empty. } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { if (request instanceof HttpServletRequest) { HttpServletRequest httpRequest = (HttpServletRequest) request; if (httpRequest.getMethod().equals("POST") && httpRequest.getSession() != null && !httpRequest.getSession().isNew() && httpRequest.getRequestURI().endsWith(url)) { httpRequest.getSession().invalidate(); httpRequest.getSession(true); log.info("new Session:" + httpRequest.getSession().getId()); } } chain.doFilter(request, response); } public void init(FilterConfig filterConfig) throws ServletException { url = filterConfig.getInitParameter("url"); if (url == null) { throw new ServletException( "please specify parameter 'url' with login URL"); } } } The web.xml: Code: <filter> <display-name>NewSessionFilter</display-name> <filter-name>NewSessionFilter</filter-name> <filter-class> NewSessionFilter </filter-class> <init-param> <param-name>url</param-name> <param-value>/iss/login.jsf</param-value> </init-param> </filter> <filter-mapping> <filter-name>NewSessionFilter</filter-name> <servlet-name>Faces Servlet</servlet-name> <url-pattern>/iss/login.jsf</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping> -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

15 years, 6 months

11
16
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-4371) [Excel exporter] Excel exporter error on header and xsl-force-type

by Yan Langlois (JIRA)

[Excel exporter] Excel exporter error on header and xsl-force-type ------------------------------------------------------------------ Key: JBSEAM-4371 URL: https://jira.jboss.org/jira/browse/JBSEAM-4371 Project: Seam Issue Type: Bug Components: Excel Affects Versions: 2.1.2.GA Reporter: Yan Langlois Priority: Blocker When a dataTable use a column with header and xsl-force-type the haeder is cast to the forced type. It should not. For exemple : <rich:dataTable id="idTable" value="#{myBean}" var="item"> <rich:column style="xls-force-type:date;"> <f:facet name="header"> <h:outputText styleClass="headerText" value="Day" /> </f:facet> <h:outputText value="#{item.date}" /> </rich:column> </rich:dataTable> The exporter try to cast the value "Day" into a java.util.Date. It should only cast #{item.date} into a java.util.Date. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

15 years, 6 months

2
4
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-4092) @TransactionTimeout doesn't work on Seam Managed Transactions

by Marek Nazarko (JIRA)

@TransactionTimeout doesn't work on Seam Managed Transactions ------------------------------------------------------------- Key: JBSEAM-4092 URL: https://jira.jboss.org/jira/browse/JBSEAM-4092 Project: Seam Issue Type: Bug Components: Core Affects Versions: 2.1.1.GA Reporter: Marek Nazarko Seam ignores @TransactionTimeout annotation on method executed from JSF page (as "action"). -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

15 years, 6 months

5
6
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-1683) s:fileUpload with required attribute

by Jonas Erma (JIRA)

s:fileUpload with required attribute ------------------------------------ Key: JBSEAM-1683 URL: http://jira.jboss.com/jira/browse/JBSEAM-1683 Project: JBoss Seam Issue Type: Feature Request Components: JSF Affects Versions: 2.0.0.BETA1 Reporter: Jonas Erma Fix For: 2.0.0.CR1 Is it possible to introduce a required attribute into the s:fileUpload tag? That way, I wouldn't need to check in my action methods if the file is null. tazman -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

15 years, 7 months

5
4
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3493) The EntityHome should not preserve the value of its instance property after entering a nested transaction when having the @PerNestedConversation annotation

by Francisco Jose Peredo Noguez (JIRA)

The EntityHome should not preserve the value of its instance property after entering a nested transaction when having the @PerNestedConversation annotation ----------------------------------------------------------------------------------------------------------------------------------------------------------- Key: JBSEAM-3493 URL: https://jira.jboss.org/jira/browse/JBSEAM-3493 Project: Seam Issue Type: Bug Components: Core Affects Versions: 2.0.2.SP1 Reporter: Francisco Jose Peredo Noguez I have a reflective 1-n associations like Person childof Person. I would like to create a child from the PersonEdit.xhtml created by seam-gen then adapted by hands... When I put @PerNestedConversation annotation to my PersonHome the behavior seems to be ok: Each conversation has it's own instance of PersonHome BUT: all of those instances is wired to the same instance of Person (the Entity)... I've tried to trace modifications on the "instance" field of Home but it's never setted so it should stay to null and then call my createInstance() overrided method....but this never happen because (as I said) Person instance is the same as the parent conversation one.... Did I miss something? Or is this a limitation of the CRUD framework? nowhere on the code the field "instance" is setted so I believe this is due to javassist proxying that my eclipse debugger can't see... If this feature isn't working how would you implement my "Create child" button to create a new Person has a child of the current conversation "personHome.instance" ?... -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

15 years, 7 months

3
11
0 / 0

[JBoss JIRA] Created: (JBSEAM-4601) Seambay example - web services page doesn't work with JBossAS 6.0.0.M2

by Martin Gencur (JIRA)

Seambay example - web services page doesn't work with JBossAS 6.0.0.M2 ---------------------------------------------------------------------- Key: JBSEAM-4601 URL: https://jira.jboss.org/jira/browse/JBSEAM-4601 Project: Seam Issue Type: Bug Components: Examples Affects Versions: 2.2.1.CR1 Environment: JBossAS 6.0.0.M2 Reporter: Martin Gencur Unable to invoke any of the services on web services test page. For example: login as demo/demo after selecting login service. The result is the following stacktrace in the response area: <html><head><title>JBoss Web/3.0.0-beta-2 - Error report</title><style></style> </head><body><h1>HTTP Status 404 - /jboss-seam-bay-jboss-seam-bay/AuctionService</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>/jboss-seam-bay-jboss-seam-bay/AuctionService</u></p><p><b>description</b> <u>The requested resource (/jboss-seam-bay-jboss-seam-bay/AuctionService) is not available.</u></p><HR size="1" noshade="noshade"><h3>JBoss Web/3.0.0-beta-2</h3></body></html> -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

15 years, 7 months

2
7
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-4267) Token-based Remember-me is not working

by Johnny Ren (JIRA)

Token-based Remember-me is not working -------------------------------------- Key: JBSEAM-4267 URL: https://jira.jboss.org/jira/browse/JBSEAM-4267 Project: Seam Issue Type: Bug Components: Security Affects Versions: 2.1.2.GA, 2.1.1.GA Environment: JBOSS 4.2.3 Reporter: Johnny Ren Steps to reproduce the problem: Step1: create an AuthenticationToken class as described in 15.3.5.1. Stpe2: Modify the components.xml as described in 15.3.5.1. <security:jpa-token-stor token-class="org.jboss.seam.example.jpa.AuthenticationToken"/> <security:remember-me mode="autoLogin"/> <event type="org.jboss.seam.security.notLoggedIn"> <action execute="#{redirect.captureCurrentView}"/> <action execute="#{identity.tryLogin()}"/> </event> <event type="org.jboss.seam.security.loginSuccessful"> <action execute="#{redirect.returnToCapturedView}"/> </event> Step 3: Modify the home.xhtml under examples\jpa\view as described in 15.3.5 <div> <h:outputLabel for="rememberMe" value="Remember me"/> <h:selectBooleanCheckbox id="rememberMe" value="#{rememberMe.enabled}"/> </div> Step 4: execute ant jboss Step 5: deploy the jboss-seam-jpa.war Step 6: go to http://localhost:8080/jboss-seam-jpa/home.seam Step 7: Select Remember me and use "demo/demo" to login. Result: javax.servlet.ServletException: #{identity.login}: org.jboss.seam.security.management.IdentityManagementException: Could not create account package org.jboss.seam.example.jpa; import java.io.Serializable; import javax.persistence.Entity; import javax.persistence.GeneratedValue; import javax.persistence.Id; import org.jboss.seam.annotations.security.TokenUsername; import org.jboss.seam.annotations.security.TokenValue; /** * */ @Entity public class AuthenticationToken implements Serializable { private Integer tokenId; private String username; private String value; @Id @GeneratedValue public Integer getTokenId() { return tokenId; } public void setTokenId(Integer tokenId) { this.tokenId = tokenId; } @TokenUsername public String getUsername() { return username; } public void setUsername(String username) { this.username = username; } @TokenValue public String getValue() { return value; } public void setValue(String value) { this.value = value; } } -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

15 years, 7 months

2
3
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3391) Use Credentials and RememberMe in code and EL expressions in examples, seam-gen and src

by Luis Tama (JIRA)

Use Credentials and RememberMe in code and EL expressions in examples, seam-gen and src --------------------------------------------------------------------------------------- Key: JBSEAM-3391 URL: https://jira.jboss.org/jira/browse/JBSEAM-3391 Project: Seam Issue Type: Task Components: Examples, Tools Affects Versions: 2.1.0.BETA1 Reporter: Luis Tama As of SEAM 2.1.0, the Identity component has been updated and the getters and setters for the properties username, password and rememberMe have been deprecated. So now we should use Credentials and RememberMe components. There are still many references to those getters/setters/properties in source code and in EL expressions in /examples, /seam-gen (including templates), and in /src, that lead to use of deprecated code. They should be updated. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

15 years, 7 months

4
5
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3054) use outbound urlrewriting in seambay example

by Dan Allen (JIRA)

use outbound urlrewriting in seambay example -------------------------------------------- Key: JBSEAM-3054 URL: http://jira.jboss.com/jira/browse/JBSEAM-3054 Project: Seam Issue Type: Feature Request Components: Examples Affects Versions: 2.1.0.A1, 2.0.2.SP1 Reporter: Dan Allen Assigned To: Dan Allen Fix For: 2.0.x, 2.1.0.BETA1 Let's show off outbound urlrewriting in the seambay example. The current hard-coded RESTful URLs look so labor intensive. Plus, it all stops working if you turn off urlrewriting. By pushing it all into the urlrewrite engine, it works either way. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

15 years, 7 months

4
7
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-4479) cannot override createPermissionQuery method as Discriminator param type is private in JpaPermissionStore class

by Andrzej Smolinski (JIRA)

cannot override createPermissionQuery method as Discriminator param type is private in JpaPermissionStore class --------------------------------------------------------------------------------------------------------------- Key: JBSEAM-4479 URL: https://jira.jboss.org/jira/browse/JBSEAM-4479 Project: Seam Issue Type: Bug Components: Security Affects Versions: 2.2.0.GA Environment: doesn't matter, its code problem Reporter: Andrzej Smolinski cannot override createPermissionQuery method as Discriminator param type is private in JpaPermissionStore class, so no acces to this (Discriminator enum) type in extending class -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

15 years, 7 months

2
3
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

seam-issues March 2010