[richfaces-issues] [JBoss JIRA] (RF-13098) Regression: mediaOutput broken for CDI MediaData beans

Thu Aug 15 19:28:26 EDT 2013

    [ https://issues.jboss.org/browse/RF-13098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12797214#comment-12797214 ] 

Brian Leathem commented on RF-13098:
------------------------------------

I discussed the consequences of whitelisting org.jboss.weld.bean.proxy.util.SerializableClientProxy with [~pmuir] on IRC, where he pointed out:
{quote}
[CDI] won't deserialize *arbitrary* classes, only classes that are beans because the SerializableClientProxy can only look up a bean in CDI so the class must be a CDI bean
{quote}

Bean classes that that are allowable for deserialisation by CDI are classes that exist in a jar with a beans.xml marker.  This excludes classes from arbitrary 3rd party libraries (unless they in turn have a beans.xml marker file present).

We will further investigate if we can discover the proxied class for the serialized bean data, but in the mean time adding the SerializableClientProxy class to the resource-serialization.properties should be considered a viable workaround.  Just be sure to make sure you don't have any vulnerable classes in your CDI-enabled jars.

> Regression: mediaOutput broken for CDI MediaData beans
> ------------------------------------------------------
>
>                 Key: RF-13098
>                 URL: https://issues.jboss.org/browse/RF-13098
>             Project: RichFaces
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: component-a4j-core
>    Affects Versions: 4.3.3
>            Reporter: Marek Schmidt
>            Assignee: Brian Leathem
>              Labels: regression
>             Fix For: 4.3.4
>
>   Original Estimate: 1 hour
>  Remaining Estimate: 1 hour
>
> https://issues.jboss.org/browse/RF-13089 introduced a regression for a4j:mediaOutput component
> Having a 
> {code}
> <a4j:mediaOutput element="img" cacheable="true" session="true" createContent="#{mediaBean.paint}" value="#{mediaData}" mimeType="image/jpeg"/>
> {code}
> with mediaData being a CDI bean, e.g.
> {code}
> @javax.inject.Named("mediaData")
> @javax.enterprise.context.RequestScoped
> public class MediaData implements Serializable
> {code}
> the following exception occurs:
> {code}10:39:27,997 SEVERE [org.richfaces.log.Resource] (http-/127.0.0.1:8080-1) Input error for deserialize data : java.io.InvalidClassException: Unauthorized deserialization attempt; org.jboss.weld.bean.proxy.util.SerializableClientProxy
>         at org.richfaces.util.LookAheadObjectInputStream.resolveClass(LookAheadObjectInputStream.java:93) [richfaces-core-impl-4.3.3.Final.jar:4.3.3.Final]
>         at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1610) [rt.jar:1.7.0_25]
>         at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1515) [rt.jar:1.7.0_25]
>         at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1769) [rt.jar:1.7.0_25]
>         at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348) [rt.jar:1.7.0_25]
>         at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1989) [rt.jar:1.7.0_25]
>         at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1913) [rt.jar:1.7.0_25]
>         at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1796) [rt.jar:1.7.0_25]
>         at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348) [rt.jar:1.7.0_25]
>         at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1704) [rt.jar:1.7.0_25]
>         at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1342) [rt.jar:1.7.0_25]
>         at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370) [rt.jar:1.7.0_25]
>         at org.richfaces.util.Util.decodeObjectData(Util.java:237) [richfaces-core-impl-4.3.3.Final.jar:4.3.3.Final]
>         at org.richfaces.resource.DefaultCodecResourceRequestData.getData(DefaultCodecResourceRequestData.java:97) [richfaces-core-impl-4.3.3.Final.jar:4.3.3.Final]
>         at org.richfaces.resource.ResourceFactoryImpl.createResource(ResourceFactoryImpl.java:337) [richfaces-core-impl-4.3.3.Final.jar:4.3.3.Final]
>         at org.richfaces.resource.ResourceHandlerImpl.handleResourceRequest(ResourceHandlerImpl.java:156) [richfaces-core-impl-4.3.3.Final.jar:4.3.3.Final]
>         at javax.faces.webapp.FacesServlet.service(FacesServlet.java:591) [jboss-jsf-api_2.1_spec-2.1.19.1.Final-redhat-1.jar:2.1.19.1.Final-redhat-1]
>         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
>         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]
> {code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira