[richfaces-issues] [JBoss JIRA] (RF-13195) Showcase: Unauthorized deserialization attempt with MyFaces

Pavol Pitonak (JIRA) jira-events at lists.jboss.org
Tue Sep 17 02:43:03 EDT 2013 

Pavol Pitonak created RF-13195:
----------------------------------

             Summary: Showcase: Unauthorized deserialization attempt with MyFaces
                 Key: RF-13195
                 URL: https://issues.jboss.org/browse/RF-13195
             Project: RichFaces
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: examples
    Affects Versions: 4.3.4
         Environment: Showcase 4.3.4.Final
            Reporter: Pavol Pitonak


# deploy richfaces-showcase-4.3.4.Final-myfaces.war to Tomcat 7.0.42
# open sample for media output

result:
* console log contains this exception:
{quote}
Sep 16, 2013 4:55:40 PM org.richfaces.util.Util decodeObjectData
SEVERE: Input error for deserialize data 
java.io.InvalidClassException: Unauthorized deserialization attempt; javax.faces.view.Location
at org.richfaces.util.LookAheadObjectInputStream.resolveClass(LookAheadObjectInputStream.java:97)
at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1610)
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1515)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1771)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370)
at org.apache.myfaces.view.facelets.el.ContextAwareTagMethodExpression.readExternal(ContextAwareTagMethodExpression.java:162)
at java.io.ObjectInputStream.readExternalData(ObjectInputStream.java:1837)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1796)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348)
at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1704)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1342)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370)
at org.richfaces.util.Util.decodeObjectData(Util.java:237)
at org.richfaces.resource.DefaultCodecResourceRequestData.getData(DefaultCodecResourceRequestData.java:97)
at org.richfaces.resource.ResourceFactoryImpl.createResource(ResourceFactoryImpl.java:337)
at org.richfaces.resource.ResourceHandlerImpl.handleResourceRequest(ResourceHandlerImpl.java:156)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:191)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.richfaces.webapp.PushFilter.doFilter(PushFilter.java:129)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(RewriteFilter.java:172)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
{quote}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the richfaces-issues mailing list