[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-2820) Remoting should not throw exception but 400/404 on invalid request
by Christian Bauer (JIRA)
Remoting should not throw exception but 400/404 on invalid request
------------------------------------------------------------------
Key: JBSEAM-2820
URL: http://jira.jboss.com/jira/browse/JBSEAM-2820
Project: JBoss Seam
Issue Type: Bug
Components: Remoting
Reporter: Christian Bauer
Assigned To: Shane Bryzak
Some crazy Java program is making HTTP requests on our live site:
85.82.169.224 - - [04/Apr/2008:15:38:48 +0100] "GET /seam/resource/remoting/interface.js HTTP/1.1" 200 - "null" "Java/1.5.0_13"
I'm guessing this is a home-written HTML parser or something from a Danish ;) guy or a website "downloader" or something. In any case, it cuts off the request parameters and we throw an exception:
15:38:48,818 ERROR [Remoting] Error
javax.servlet.ServletException: Invalid request - no component specified
at org.jboss.seam.remoting.InterfaceGenerator$1.process(InterfaceGenerator.java:73)
at org.jboss.seam.servlet.ContextualHttpServletRequest.run(ContextualHttpServletRequest.java:53)
at org.jboss.seam.remoting.InterfaceGenerator.handle(InterfaceGenerator.java:64)
at org.jboss.seam.remoting.Remoting.getResource(Remoting.java:111)
at org.jboss.seam.servlet.SeamResourceServlet.doGet(SeamResourceServlet.java:75)
Do not throw an exception but either return 400 INVALID REQUEST or 404 NOT FOUND.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 9 months
[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-4161) Cookies stored incorrectly when web application is deployed with emty root path
by Evgeny Denisov (JIRA)
Cookies stored incorrectly when web application is deployed with emty root path
--------------------------------------------------------------------------------
Key: JBSEAM-4161
URL: https://jira.jboss.org/jira/browse/JBSEAM-4161
Project: Seam
Issue Type: Bug
Components: Core, Security
Affects Versions: 2.1.1.GA
Environment: Firefox 3.0.x
Reporter: Evgeny Denisov
There is a bug in that prevents RememberMe functionality to work properly. This occurs when web application is deployed with empty context root path and can be reproduced in Firefox 3.0.8.
There was similar bug reported earlier for Spring: http://jira.springframework.org/browse/SEC-364
The cause is empty cookie path that set to "" in org.jboss.seam.faces.Selector when context root of deployed web app is empty. An empty cookie path results in inconsistent behavior at least between ie and firefox: ie presumes "/" whereas firefox presumes the leading path for the current request. Chrome 1.0 also does not like empty cookie path.
The bug can be fixed if method
public void setCookiePath(String cookiePath)
of org.jboss.seam.faces.Selector
will be modified in the same way:
public void setCookiePath(String cookiePath)
{
/* firefox does not like empty cookie path */
if (cookiePath == null || cookiePath.isEmpty()) {
this.cookiePath = "/";
} else {
this.cookiePath = cookiePath;
}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 9 months
[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3565) Remoting interface generation problem
by Andy Siu (JIRA)
Remoting interface generation problem
-------------------------------------
Key: JBSEAM-3565
URL: https://jira.jboss.org/jira/browse/JBSEAM-3565
Project: Seam
Issue Type: Bug
Components: Remoting
Reporter: Andy Siu
Assignee: Shane Bryzak
There is a problem about the caching mechanism of generating remote interface for ajax call.
at
public void generateComponentInterface(Set<Component> components, OutputStream out, Set<Type> types)
The generated interface is cached in interfaceCache. However, when passing more than one component at the same time, there may be problem.
E.g.
seam/resource/remoting/interface.js?A&B
where both A and B contain a type C
A->C will be cached with the name A
but only B will be cached with the name B (C will be skipped as it is already generated in A)
when another page only calls seam/resource/remoting/interface.js?B
C will be missed as the cached B does not contains C
I've make a workaround by passing a new HashSet<Type>() into appendComponentSource everytime
appendComponentSource(bOut, c, new HashSet<Type>());
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 9 months
[JBoss JIRA] Created: (SEAMFACES-26) Implement global protection against XSRF attacks via incremental token-based form fields
by Lincoln Baxter III (JIRA)
Implement global protection against XSRF attacks via incremental token-based form fields
----------------------------------------------------------------------------------------
Key: SEAMFACES-26
URL: https://jira.jboss.org/browse/SEAMFACES-26
Project: Seam Faces
Issue Type: Feature Request
Components: Security
Reporter: Lincoln Baxter III
Fix For: 3.0.0.Alpha4
I'd like to see a way to implement this for ALL pages, not requiring a custom tag.
I believe this could be done easily using the PreRenderViewEvent to add a hidden form field to store the token in all outbound forms, in combination with a cookie that is sent to the browser, storing a unique private key for that browser session.
Next, use a phase-listener after Restore_View, comparing the request parameter to the restored component value or session. Very similar to the <s:token> component, but as a global solution that could be enabled/disabled via XML config.
The token value increments on each subsequent form submission, and includes a hashed version of the browser's signature (and corresponding public key for the browser's cookie-assigned private key.) The token is compared to either a value stored in ViewState (insecure if using client-side state-saving) or a value stored in the user's session as (an ordered list that can detect repeat or invalid requests.)
Question: how does this affect the back-button?
Note: In order for any cookie-based public key to be assigned to the browser, one MUST assume that the server/client are speaking HTTPS, otherwise any communication of public/private keys will be vulnerable to man-in-the-middle attacks.
"1. When rendered, it assigns a unique identifier to the browser using a cookie that lives until the end of the browser session. This is roughly the browser's private key. The <s:token> tag is used inside of an <h:form> and generates a hidden form field named javax.faces.FormSignature. The form signature is calculated as follows: "
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 9 months
[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-1620) "java.lang.IllegalStateException: No application context active" thrown on legacy components.xml declaration
by Przemyslaw Jaskierski (JIRA)
"java.lang.IllegalStateException: No application context active" thrown on legacy components.xml declaration
------------------------------------------------------------------------------------------------------------
Key: JBSEAM-1620
URL: http://jira.jboss.com/jira/browse/JBSEAM-1620
Project: JBoss Seam
Issue Type: Bug
Affects Versions: 2.0.0.BETA1
Environment: Tomcat 6.0.13
Reporter: Przemyslaw Jaskierski
Fix For: 2.0.0.CR1
Reporting on Gavin's demand. After migrating from 1.3.0 ALPHA to latest 2.0.0 cvs snapshot I got this exception because on my classpath was an alternate components.xml with core:microcontainer. Please see forum topic for complete description. Posting only stacktrace here.
java.lang.IllegalStateException: No application context active
at org.jboss.seam.Component.forName(Component.java:1707)
at org.jboss.seam.Component.getInstance(Component.java:1757)
at org.jboss.seam.Component.getInstance(Component.java:1740)
at org.jboss.seam.Component.getInstance(Component.java:1719)
at org.jboss.seam.core.ResourceBundle.instance(ResourceBundle.java:209)
at org.jboss.seam.jsf.SeamApplicationMessageBundle.handleGetObject(SeamApplicationMessageBundle.jav
a:28)
at java.util.ResourceBundle.getObject(ResourceBundle.java:380)
at java.util.ResourceBundle.getString(ResourceBundle.java:346)
at com.sun.faces.util.MessageFactory.getMessage(MessageFactory.java:151)
at com.sun.faces.util.MessageFactory.getMessage(MessageFactory.java:122)
at com.sun.faces.util.MessageUtils.getExceptionMessageString(MessageUtils.java:277)
at com.sun.faces.config.ConfigureListener.configure(ConfigureListener.java:828)
at com.sun.faces.config.ConfigureListener.configure(ConfigureListener.java:486)
at com.sun.faces.config.ConfigureListener.contextInitialized(ConfigureListener.java:381)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3827)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4334)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at org.apache.catalina.core.StandardService.start(StandardService.java:516)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:566)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Jul 7, 2007 7:21:43 PM org.apache.catalina.core.StandardContext listenerStart
SEVERE: Exception sending context initialized event to listener instance of class com.sun.faces.conf
ig.ConfigureListener
javax.faces.FacesException: java.lang.IllegalStateException: No application context active
at com.sun.faces.config.ConfigureListener.contextInitialized(ConfigureListener.java:387)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3827)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4334)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at org.apache.catalina.core.StandardService.start(StandardService.java:516)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:566)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Caused by: java.lang.IllegalStateException: No application context active
at org.jboss.seam.Component.forName(Component.java:1707)
at org.jboss.seam.Component.getInstance(Component.java:1757)
at org.jboss.seam.Component.getInstance(Component.java:1740)
at org.jboss.seam.Component.getInstance(Component.java:1719)
at org.jboss.seam.core.ResourceBundle.instance(ResourceBundle.java:209)
at org.jboss.seam.jsf.SeamApplicationMessageBundle.handleGetObject(SeamApplicationMessageBundle.jav
a:28)
at java.util.ResourceBundle.getObject(ResourceBundle.java:380)
at java.util.ResourceBundle.getString(ResourceBundle.java:346)
at com.sun.faces.util.MessageFactory.getMessage(MessageFactory.java:151)
at com.sun.faces.util.MessageFactory.getMessage(MessageFactory.java:122)
at com.sun.faces.util.MessageUtils.getExceptionMessageString(MessageUtils.java:277)
at com.sun.faces.config.ConfigureListener.configure(ConfigureListener.java:828)
at com.sun.faces.config.ConfigureListener.configure(ConfigureListener.java:486)
at com.sun.faces.config.ConfigureListener.contextInitialized(ConfigureListener.java:381)
... 15 more
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 9 months
[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-2588) s:conversationPropagation breaks a4j:commandButton
by Fijai Cairo (JIRA)
s:conversationPropagation breaks a4j:commandButton
--------------------------------------------------
Key: JBSEAM-2588
URL: http://jira.jboss.com/jira/browse/JBSEAM-2588
Project: JBoss Seam
Issue Type: Bug
Components: JSF Controls
Affects Versions: 2.0.1.GA
Environment: Firefox OSX 10.51, JBoss AS 4.22, JAVA 1.5.0_13-b05-237
Reporter: Fijai Cairo
<a4j:commandButton styleClass="btn" id="contactButton#{accountHolder}" oncomplete="UIControl('contactForm', 'contact', 'identification');" reRender="contactBlock#{accountHolder},uiSec" actionListener="#{accountOpen.submitContactInfo}" value="Continue" >
<a4j:actionparam name="holder" value="getSuffix()" noEscape="true"/>
<s:conversationPropagation type="join" />
</a4j:commandButton>
Renders the following: Notice that the onclick handler is rendered before the input is rendered and causes a document.getElementById("contactButton1") has no properties javascript error.
<div id="contactContinueSection1" style="padding: 10px 10px 10px 10px; display: block">
<script language="JavaScript" type="text/javascript">
//<![CDATA[
document.getElementById('contactButton1').onclick = new Function("event", "{if (document.getElementById){var form = document.getElementById('contactForm1');var input = documen
t.createElement('input');if (document.all){ input.type = 'hidden';input.name = 'conversationPropagat
ion';input.value = 'join';}else if (document.getElementById) {input.setAttribute('type', 'hidden');i
nput.setAttribute('name', 'conversationPropagation');input.setAttribute('value', 'join');}form.appen
dChild(input);return true;}}");
//]]>
</script>
<input id="contactButton1" name="contactButton1" onclick="A4J.AJAX.Submit('_viewRoot','contactForm1',event,{'parameters':{'holder':getSuffix(),'conversationPr
opagation':'join','contactButton1':'contactButton1'} ,'actionUrl':'/BaisiPrototype/AE/primary.jspv?j
avax.portlet.faces.DirectLink=true','oncomplete':function(request,event,data){UIControl('contactForm
', 'contact', 'identification');}} );return false;" value="Continue" class="btn" type="button" />
</div>
Without <s:conversationPropagation type="join" />, the onclick handler is rendered as an attribute of the button as ff:
<div id="contactContinueSection1" style="padding: 10px 10px 10px 10px; display: block"><input id="contactButton1" name="contactButton1" onclick="A4J.AJAX.Submit('_viewRoot','contactForm1',event,{'parameters':{'holder':getSuffix(),'contactButton1
':'contactButton1'} ,'actionUrl':'/BaisiPrototype/AE/primary.jspv?javax.portlet.faces.DirectLink=tru
e','oncomplete':function(request,event,data){UIControl('contactForm', 'contact', 'identification');}
} );return false;" value="Continue" class="btn" type="button" />
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
13 years, 9 months