January 2013 - seam-issues - Jboss List Archives

[JBoss JIRA] (SEAM-142) Upgrade OpenWebBeans dependency to the latest CDI 1.0 compliant, which is 1.1.7

by Dominik Drzewiecki (JIRA)

Dominik Drzewiecki created SEAM-142: --------------------------------------- Summary: Upgrade OpenWebBeans dependency to the latest CDI 1.0 compliant, which is 1.1.7 Key: SEAM-142 URL: https://issues.jboss.org/browse/SEAM-142 Project: Seam 3 Distribution Issue Type: Library Upgrade Components: Conversation Management Affects Versions: 3.1.0.Final Environment: Apache Tomee 1.5.x, Tomcat 7.x + OpenWebBeans 1.1.x Reporter: Dominik Drzewiecki Please release (deploy to central repo) seam-conversation-owb that is dependant on the 1.1.x OWB. The code is already there: https://github.com/seam/conversation/commit/a5f2e3f42829f8405e6bee6caab43... and gets deployed to jboss snapshots repository as 3.2.0-SNAPSHOT and can be retrieved from https://repository.jboss.org/nexus/content/groups/public/org/jboss/seam/c... -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 11 months

1
0
0 / 0

[JBoss JIRA] (JBSEAM-5066) Incorrect Redirection

by Tiago Peruzzo (JIRA)

[ https://issues.jboss.org/browse/JBSEAM-5066?page=com.atlassian.jira.plugi... ] Tiago Peruzzo updated JBSEAM-5066: ---------------------------------- Attachment: patch.zip Patch fix, more a redirection test class > Incorrect Redirection > --------------------- > > Key: JBSEAM-5066 > URL: https://issues.jboss.org/browse/JBSEAM-5066 > Project: Seam 2 > Issue Type: Bug > Affects Versions: 2.3.0.CR1 > Reporter: Tiago Peruzzo > Attachments: patch.zip > > > After the changes in SeamViewHandler all url's were with conversationId, however in some cases redirect rules exist that may not need to have conversationId in url. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 11 months

1
0
0 / 0

[JBoss JIRA] (JBSEAM-5066) Incorrect Redirection

by Tiago Peruzzo (JIRA)

Tiago Peruzzo created JBSEAM-5066: ------------------------------------- Summary: Incorrect Redirection Key: JBSEAM-5066 URL: https://issues.jboss.org/browse/JBSEAM-5066 Project: Seam 2 Issue Type: Bug Affects Versions: 2.3.0.CR1 Reporter: Tiago Peruzzo After the changes in SeamViewHandler all url's were with conversationId, however in some cases redirect rules exist that may not need to have conversationId in url. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 11 months

1
0
0 / 0

[JBoss JIRA] (SEAMSECURITY-98) JaasAuthenticator AuthenticationException: Authenticator must provide a non-null User after successful authentication

by Lincoln Baxter III (JIRA)

[ https://issues.jboss.org/browse/SEAMSECURITY-98?page=com.atlassian.jira.p... ] Lincoln Baxter III updated SEAMSECURITY-98: ------------------------------------------- Status: Closed (was: Pull Request Sent) Assignee: Lincoln Baxter III Fix Version/s: 3.1.1.Final Resolution: Done Merged pull request from Nicolas. > JaasAuthenticator AuthenticationException: Authenticator must provide a non-null User after successful authentication > --------------------------------------------------------------------------------------------------------------------- > > Key: SEAMSECURITY-98 > URL: https://issues.jboss.org/browse/SEAMSECURITY-98 > Project: Seam Security > Issue Type: Bug > Affects Versions: 3.1.0.Beta1 > Environment: Seam Security 3.1.0.Beta2, Ubuntu 11.04 64-bit, JBoss AS 7.0.1 everything > Reporter: Hendy Irawan > Assignee: Lincoln Baxter III > Fix For: 3.1.1.Final > > > I use JaasAuthenticator with the following config: > <?xml version="1.0" encoding="UTF-8"?> > <beans xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xmlns:s="urn:java:ee" > xmlns:security="urn:java:org.jboss.seam.security" > xmlns:jaas="urn:java:org.jboss.seam.security.jaas" > xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://www.jboss.org/schema/cdi/beans_1_0.xsd"> > <security:IdentityImpl> > <s:modifies/> > <security:authenticatorClass>org.jboss.seam.security.jaas.JaasAuthenticator</security:authenticatorClass> > </security:IdentityImpl> > <jaas:JaasAuthenticator> > <s:modifies/> > <jaas:jaasConfigName>other</jaas:jaasConfigName> > </jaas:JaasAuthenticator> > <interceptors> >  > </interceptors> > </beans> > In JBoss I configure 'other' to use UsersRoles, and I also put users.properties and roles.properties in my project's src/main/resources. > However, even if I put the right username/password, it gives this error: > 03:10:14,534 ERROR [org.jboss.seam.security.IdentityImpl] (http--127.0.0.1-8080-6) Login failed: org.jboss.seam.security.AuthenticationException: Authenticator must provide a non-null User after successful authentication > at org.jboss.seam.security.IdentityImpl.postAuthenticate(IdentityImpl.java:281) [seam-security-3.1.0.Beta2.jar:] > at org.jboss.seam.security.IdentityImpl.authenticate(IdentityImpl.java:233) [seam-security-3.1.0.Beta2.jar:] > at org.jboss.seam.security.IdentityImpl.login(IdentityImpl.java:164) [seam-security-3.1.0.Beta2.jar:] > at org.jboss.seam.security.IdentityImpl$Proxy$_$$_WeldClientProxy.login(IdentityImpl$Proxy$_$$_WeldClientProxy.java) [seam-security-3.1.0.Beta2.jar:] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_22] > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [:1.6.0_22] > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [:1.6.0_22] > at java.lang.reflect.Method.invoke(Method.java:616) [:1.6.0_22] > at org.apache.el.parser.AstValue.invoke(AstValue.java:196) [jbossweb-7.0.1.Final.jar:7.0.1.Final] > at org.apache.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276) [jbossweb-7.0.1.Final.jar:7.0.1.Final] > at org.jboss.weld.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:43) [weld-core-1.1.2.Final.jar:2011-07-26 15:02] > at org.jboss.weld.el.WeldMethodExpression.invoke(WeldMethodExpression.java:56) [weld-core-1.1.2.Final.jar:2011-07-26 15:02] > at com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:105) [jsf-impl-2.0.4-b09-jbossorg-4.jar:2.0.4-b09-jbossorg-4] > at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:88) [jboss-jsf-api_2.0_spec-1.0.0.Final.jar:1.0.0.Final] > at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102) [jsf-impl-2.0.4-b09-jbossorg-4.jar:2.0.4-b09-jbossorg-4] > at javax.faces.component.UICommand.broadcast(UICommand.java:315) [jboss-jsf-api_2.0_spec-1.0.0.Final.jar:1.0.0.Final] > at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:787) [jboss-jsf-api_2.0_spec-1.0.0.Final.jar:1.0.0.Final] > at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1252) [jboss-jsf-api_2.0_spec-1.0.0.Final.jar:1.0.0.Final] > at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:81) [jsf-impl-2.0.4-b09-jbossorg-4.jar:2.0.4-b09-jbossorg-4] > at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101) [jsf-impl-2.0.4-b09-jbossorg-4.jar:2.0.4-b09-jbossorg-4] > at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118) [jsf-impl-2.0.4-b09-jbossorg-4.jar:2.0.4-b09-jbossorg-4] > at javax.faces.webapp.FacesServlet.service(FacesServlet.java:312) [jboss-jsf-api_2.0_spec-1.0.0.Final.jar:1.0.0.Final] > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) [jbossweb-7.0.1.Final.jar:7.0.1.Final] > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.1.Final.jar:7.0.1.Final] > at org.jboss.weld.servlet.ConversationPropagationFilter.doFilter(ConversationPropagationFilter.java:67) [weld-core-1.1.2.Final.jar:2011-07-26 15:02] > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.1.Final.jar:7.0.1.Final] > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.1.Final.jar:7.0.1.Final] > at com.ocpsoft.pretty.PrettyFilter.doFilter(PrettyFilter.java:118) [prettyfaces-jsf2-3.3.0.jar:] > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.1.Final.jar:7.0.1.Final] > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.1.Final.jar:7.0.1.Final] > at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.1.Final.jar:7.0.1.Final] > at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.1.Final.jar:7.0.1.Final] > at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:139) [jboss-as-web-7.0.1.Final.jar:7.0.1.Final] > at org.jboss.as.web.NamingValve.invoke(NamingValve.java:57) [jboss-as-web-7.0.1.Final.jar:7.0.1.Final] > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:154) [jbossweb-7.0.1.Final.jar:7.0.1.Final] > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.1.Final.jar:7.0.1.Final] > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.1.Final.jar:7.0.1.Final] > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [jbossweb-7.0.1.Final.jar:7.0.1.Final] > at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:897) [jbossweb-7.0.1.Final.jar:7.0.1.Final] > at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:626) [jbossweb-7.0.1.Final.jar:7.0.1.Final] > at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:2054) [jbossweb-7.0.1.Final.jar:7.0.1.Final] > at java.lang.Thread.run(Thread.java:679) [:1.6.0_22] -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 11 months

1
0
0 / 0

[JBoss JIRA] (JBSEAM-2450) OWASP / New Session after Login

by ahus1 (JIRA)

[ https://issues.jboss.org/browse/JBSEAM-2450?page=com.atlassian.jira.plugi... ] ahus1 commented on JBSEAM-2450: ------------------------------- Hello Ricardo, the newSession() method needs to be called manually whenever you want to have a new session ID. I call it after a successful authentication of the user. If you are using Seam and have a custom Authenticator, this will be a good place to call this method. Best regards, Alexander. > OWASP / New Session after Login > ------------------------------- > > Key: JBSEAM-2450 > URL: https://issues.jboss.org/browse/JBSEAM-2450 > Project: Seam 2 > Issue Type: Feature Request > Components: Security > Affects Versions: 2.0.0.GA > Environment: Linux 2.6, jetty 6.1.5 and tomcat 6, java 6 > Reporter: ahus1 > Assignee: Shane Bryzak > Fix For: The future > > Attachments: NewSessionFilter.java, NewSessionFilter.java, NewSessionFilter.java, SessionFixationProtectionValve.java > > > Hello, > OWASP has compiled a "top 10" vulnerablilities for web applications. > One suggestion against session hijacking was the following: Start a new HTTP-Session after a successful login: > "Consider regenerating a new session upon successful authentication or privilege level change." > http://www.owasp.org/index.php/Top_10_2007-A7 > Therefore there should be a (configurable?) switch to choose "continue with new session ID after successful log on" > I have thought of invalidating the current HTTP session, creating a new one and copying all elements from the old session to the new session in my Authenticator. But Seam 2.0.0 doesn't allow this: When I use the lowlevel functions this is blocked by IllegalStateException("Please end the HttpSession via Seam.invalidateSession()") in Lifecyle. When I use Seam.invalidateSession(), the session is only destroyed at the end of the request and I am unable to copy any objects in my Authenticator as the new session doesn't exist yet. > The workaround I have come up with is a filter, that destroys the complete session before the log in. > This is not very elegant, but it works for me as I don't have i.e. a shoping basket that I'd like to preserve. > A "nice" implementation in seam shouldn't have this limitation. > shane.bryzak(a)jboss.com asked for this ticket to be assigned to her. > The Java Class: > Code: > /** > * This filter enforces a new session whenever there is a POST, should be mapped > * to the URL of the login page in your web.xml > * @author Alexander Schwartz 2007 > */ > public class NewSessionFilter implements Filter { > private Log log = LogFactory.getLog(NewSessionFilter.class); > > private String url; > > public void destroy() { > // empty. > } > > public void doFilter(ServletRequest request, ServletResponse response, > FilterChain chain) throws IOException, ServletException { > if (request instanceof HttpServletRequest) { > HttpServletRequest httpRequest = (HttpServletRequest) request; > if (httpRequest.getMethod().equals("POST") > && httpRequest.getSession() != null > && !httpRequest.getSession().isNew() > && httpRequest.getRequestURI().endsWith(url)) { > httpRequest.getSession().invalidate(); > httpRequest.getSession(true); > log.info("new Session:" + httpRequest.getSession().getId()); > } > } > chain.doFilter(request, response); > } > > public void init(FilterConfig filterConfig) throws ServletException { > url = filterConfig.getInitParameter("url"); > if (url == null) { > throw new ServletException( > "please specify parameter 'url' with login URL"); > } > } > > } > > The web.xml: > Code: > <filter> > <display-name>NewSessionFilter</display-name> > <filter-name>NewSessionFilter</filter-name> > <filter-class> > NewSessionFilter > </filter-class> > <init-param> > <param-name>url</param-name> > <param-value>/iss/login.jsf</param-value> > </init-param> > </filter> > <filter-mapping> > <filter-name>NewSessionFilter</filter-name> > <servlet-name>Faces Servlet</servlet-name> > <url-pattern>/iss/login.jsf</url-pattern> > <dispatcher>REQUEST</dispatcher> > </filter-mapping> > -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 11 months

1
0
0 / 0

[JBoss JIRA] (JBSEAM-2450) OWASP / New Session after Login

by ahus1 (JIRA)

[ https://issues.jboss.org/browse/JBSEAM-2450?page=com.atlassian.jira.plugi... ] ahus1 updated JBSEAM-2450: -------------------------- Environment: Linux 2.6, jetty 6.1.5 and tomcat 6, java 6 (was: Linux 2.6, jetty 6.1.5, java 6) > OWASP / New Session after Login > ------------------------------- > > Key: JBSEAM-2450 > URL: https://issues.jboss.org/browse/JBSEAM-2450 > Project: Seam 2 > Issue Type: Feature Request > Components: Security > Affects Versions: 2.0.0.GA > Environment: Linux 2.6, jetty 6.1.5 and tomcat 6, java 6 > Reporter: ahus1 > Assignee: Shane Bryzak > Fix For: The future > > Attachments: NewSessionFilter.java, NewSessionFilter.java, NewSessionFilter.java, SessionFixationProtectionValve.java > > > Hello, > OWASP has compiled a "top 10" vulnerablilities for web applications. > One suggestion against session hijacking was the following: Start a new HTTP-Session after a successful login: > "Consider regenerating a new session upon successful authentication or privilege level change." > http://www.owasp.org/index.php/Top_10_2007-A7 > Therefore there should be a (configurable?) switch to choose "continue with new session ID after successful log on" > I have thought of invalidating the current HTTP session, creating a new one and copying all elements from the old session to the new session in my Authenticator. But Seam 2.0.0 doesn't allow this: When I use the lowlevel functions this is blocked by IllegalStateException("Please end the HttpSession via Seam.invalidateSession()") in Lifecyle. When I use Seam.invalidateSession(), the session is only destroyed at the end of the request and I am unable to copy any objects in my Authenticator as the new session doesn't exist yet. > The workaround I have come up with is a filter, that destroys the complete session before the log in. > This is not very elegant, but it works for me as I don't have i.e. a shoping basket that I'd like to preserve. > A "nice" implementation in seam shouldn't have this limitation. > shane.bryzak(a)jboss.com asked for this ticket to be assigned to her. > The Java Class: > Code: > /** > * This filter enforces a new session whenever there is a POST, should be mapped > * to the URL of the login page in your web.xml > * @author Alexander Schwartz 2007 > */ > public class NewSessionFilter implements Filter { > private Log log = LogFactory.getLog(NewSessionFilter.class); > > private String url; > > public void destroy() { > // empty. > } > > public void doFilter(ServletRequest request, ServletResponse response, > FilterChain chain) throws IOException, ServletException { > if (request instanceof HttpServletRequest) { > HttpServletRequest httpRequest = (HttpServletRequest) request; > if (httpRequest.getMethod().equals("POST") > && httpRequest.getSession() != null > && !httpRequest.getSession().isNew() > && httpRequest.getRequestURI().endsWith(url)) { > httpRequest.getSession().invalidate(); > httpRequest.getSession(true); > log.info("new Session:" + httpRequest.getSession().getId()); > } > } > chain.doFilter(request, response); > } > > public void init(FilterConfig filterConfig) throws ServletException { > url = filterConfig.getInitParameter("url"); > if (url == null) { > throw new ServletException( > "please specify parameter 'url' with login URL"); > } > } > > } > > The web.xml: > Code: > <filter> > <display-name>NewSessionFilter</display-name> > <filter-name>NewSessionFilter</filter-name> > <filter-class> > NewSessionFilter > </filter-class> > <init-param> > <param-name>url</param-name> > <param-value>/iss/login.jsf</param-value> > </init-param> > </filter> > <filter-mapping> > <filter-name>NewSessionFilter</filter-name> > <servlet-name>Faces Servlet</servlet-name> > <url-pattern>/iss/login.jsf</url-pattern> > <dispatcher>REQUEST</dispatcher> > </filter-mapping> > -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 11 months

1
0
0 / 0

[JBoss JIRA] (JBSEAM-5045) Ajax error not calling ExceptionFilter

by Marek Novotny (JIRA)

[ https://issues.jboss.org/browse/JBSEAM-5045?page=com.atlassian.jira.plugi... ] Marek Novotny resolved JBSEAM-5045. ----------------------------------- Resolution: Done Thanks for patch, i have pushed that into our Git repository. https://github.com/seam2/jboss-seam/commit/c134599c6ff7ffcbf92da2b3a1d266... > Ajax error not calling ExceptionFilter > -------------------------------------- > > Key: JBSEAM-5045 > URL: https://issues.jboss.org/browse/JBSEAM-5045 > Project: Seam 2 > Issue Type: Bug > Affects Versions: 2.3.0.Final > Reporter: Tiago Peruzzo > Assignee: Marek Novotny > Fix For: 2.3.1.CR1 > > Attachments: ErrorHandlingTest.java, MockExternalContext.java, MockExternalContext.java, MockExternalContext.java, MockExternalContext.java, patch.zip > > > Now that JSF2 now has support for Ajax errors Ajax requests are being processed by the JSF and not being thrown exceptions to the Seam ExceptionFilter capture. > {code:xml} > <exception log="true" log-level="fatal"> > <end-conversation before-redirect="true" root="true"/> > <redirect view-id="/error.xhtml"> > <message severity="fatal">Unexpected error, please try again.</message> > </redirect> > </exception> > {code} > {code:xml} > <h:form> > <h:commandButton action="#{xxxx.xxxxx}" value="Submit"/> > <h:commandButton action="#{xxxx.xxxxx}" value="Ajax Submit"> > <f:ajax /> > </h:commandButton> > </h:form> > {code} > I even did a patch that still support the redirection to the error pages in AJAX requests. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 11 months

1
0
0 / 0

[JBoss JIRA] (JBSEAM-5034) Allow for seam-gen run arquillian testsuite on generated project structure

by Marek Novotny (JIRA)

[ https://issues.jboss.org/browse/JBSEAM-5034?page=com.atlassian.jira.plugi... ] Marek Novotny commented on JBSEAM-5034: --------------------------------------- I pushed the latest changes - https://github.com/seam2/jboss-seam/commit/1d5c6aa8d94a08ed40119df594ebfc... > Allow for seam-gen run arquillian testsuite on generated project structure > -------------------------------------------------------------------------- > > Key: JBSEAM-5034 > URL: https://issues.jboss.org/browse/JBSEAM-5034 > Project: Seam 2 > Issue Type: Feature Request > Components: Test Harness, Tools > Reporter: Marek Novotny > Assignee: Vaclav Dedik > Priority: Critical > Fix For: 2.3.1.CR1 > > > seam-gen is not right now updated for our Arquillian integration tests. > ./seam test will not pass if you doesn't edit it manually. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 11 months

1
0
0 / 0

[JBoss JIRA] (JBSEAM-5034) Allow for seam-gen run arquillian testsuite on generated project structure

by Marek Novotny (JIRA)

[ https://issues.jboss.org/browse/JBSEAM-5034?page=com.atlassian.jira.plugi... ] Marek Novotny resolved JBSEAM-5034. ----------------------------------- Resolution: Done > Allow for seam-gen run arquillian testsuite on generated project structure > -------------------------------------------------------------------------- > > Key: JBSEAM-5034 > URL: https://issues.jboss.org/browse/JBSEAM-5034 > Project: Seam 2 > Issue Type: Feature Request > Components: Test Harness, Tools > Reporter: Marek Novotny > Assignee: Vaclav Dedik > Priority: Critical > Fix For: 2.3.1.CR1 > > > seam-gen is not right now updated for our Arquillian integration tests. > ./seam test will not pass if you doesn't edit it manually. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 11 months

1
0
0 / 0

[JBoss JIRA] (JBSEAM-2450) OWASP / New Session after Login

by Ricardo Martinelli Oliveira (JIRA)

[ https://issues.jboss.org/browse/JBSEAM-2450?page=com.atlassian.jira.plugi... ] Ricardo Martinelli Oliveira commented on JBSEAM-2450: ----------------------------------------------------- [~ahus1], I tried your solution and it didn't work. Can you tell me who should call newSession() method in the filter? > OWASP / New Session after Login > ------------------------------- > > Key: JBSEAM-2450 > URL: https://issues.jboss.org/browse/JBSEAM-2450 > Project: Seam 2 > Issue Type: Feature Request > Components: Security > Affects Versions: 2.0.0.GA > Environment: Linux 2.6, jetty 6.1.5, java 6 > Reporter: ahus1 > Assignee: Shane Bryzak > Fix For: The future > > Attachments: NewSessionFilter.java, NewSessionFilter.java, NewSessionFilter.java, SessionFixationProtectionValve.java > > > Hello, > OWASP has compiled a "top 10" vulnerablilities for web applications. > One suggestion against session hijacking was the following: Start a new HTTP-Session after a successful login: > "Consider regenerating a new session upon successful authentication or privilege level change." > http://www.owasp.org/index.php/Top_10_2007-A7 > Therefore there should be a (configurable?) switch to choose "continue with new session ID after successful log on" > I have thought of invalidating the current HTTP session, creating a new one and copying all elements from the old session to the new session in my Authenticator. But Seam 2.0.0 doesn't allow this: When I use the lowlevel functions this is blocked by IllegalStateException("Please end the HttpSession via Seam.invalidateSession()") in Lifecyle. When I use Seam.invalidateSession(), the session is only destroyed at the end of the request and I am unable to copy any objects in my Authenticator as the new session doesn't exist yet. > The workaround I have come up with is a filter, that destroys the complete session before the log in. > This is not very elegant, but it works for me as I don't have i.e. a shoping basket that I'd like to preserve. > A "nice" implementation in seam shouldn't have this limitation. > shane.bryzak(a)jboss.com asked for this ticket to be assigned to her. > The Java Class: > Code: > /** > * This filter enforces a new session whenever there is a POST, should be mapped > * to the URL of the login page in your web.xml > * @author Alexander Schwartz 2007 > */ > public class NewSessionFilter implements Filter { > private Log log = LogFactory.getLog(NewSessionFilter.class); > > private String url; > > public void destroy() { > // empty. > } > > public void doFilter(ServletRequest request, ServletResponse response, > FilterChain chain) throws IOException, ServletException { > if (request instanceof HttpServletRequest) { > HttpServletRequest httpRequest = (HttpServletRequest) request; > if (httpRequest.getMethod().equals("POST") > && httpRequest.getSession() != null > && !httpRequest.getSession().isNew() > && httpRequest.getRequestURI().endsWith(url)) { > httpRequest.getSession().invalidate(); > httpRequest.getSession(true); > log.info("new Session:" + httpRequest.getSession().getId()); > } > } > chain.doFilter(request, response); > } > > public void init(FilterConfig filterConfig) throws ServletException { > url = filterConfig.getInitParameter("url"); > if (url == null) { > throw new ServletException( > "please specify parameter 'url' with login URL"); > } > } > > } > > The web.xml: > Code: > <filter> > <display-name>NewSessionFilter</display-name> > <filter-name>NewSessionFilter</filter-name> > <filter-class> > NewSessionFilter > </filter-class> > <init-param> > <param-name>url</param-name> > <param-value>/iss/login.jsf</param-value> > </init-param> > </filter> > <filter-mapping> > <filter-name>NewSessionFilter</filter-name> > <servlet-name>Faces Servlet</servlet-name> > <url-pattern>/iss/login.jsf</url-pattern> > <dispatcher>REQUEST</dispatcher> > </filter-mapping> > -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 11 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

seam-issues January 2013