I've set up my web application to protect against CSRF by listing individual pages in faces-config, protected-views.
This works well when running locally, but after deploying to the server I eventually get these errors when opening a page link:
javax.faces.application.ProtectedViewException: JSF1099: Referer [sic] header value http://[redacted]/finance/commitmentregister/search.xhtml?javax.faces.Token=1534344211116 does not appear to be a protected view. Preventing display of viewId /finance/commitmentregister/view.xhtml
at com.sun.faces.lifecycle.RestoreViewPhase.maybeTakeProtectedViewAction(Unknown Source)
at com.sun.faces.lifecycle.RestoreViewPhase.execute(Unknown Source)
at com.sun.faces.lifecycle.Phase.doPhase(Unknown Source)
at com.sun.faces.lifecycle.RestoreViewPhase.doPhase(Unknown Source)
at com.sun.faces.lifecycle.LifecycleImpl.execute(Unknown Source)
We are running Apache Tomcat 7 locally and on the test server.
Edit:
I've noticed that the url generated on the link looks like this:
http://.../page.xhtml?token=123&p=4
Where token is the CSRF javax.faces.Token and p is a url parameter sent.
The error message shows the url with the token but without p. Like it's expecting the url with the token to be the protected page url listed in the faces-config.
That is, faces-config has:
<protected-views>
<url-pattern>/page.xhtml</url-pattern>
</protected-views>
But it is expecting page.xhtml?token=123
Further Edit:
We just noticed that this error happens only when the page is opened in a new tab. With links generated with a target="_blank" attribute. Copying the url into the clipboard and pasting it in a new tab address bar loads the page correctly.
Noticing that it only broke on new tabs gave me more info to research the problem.
Adding this to the links fixes it:
rel="noopener noreferrer"
Related
I was following this answer by BalusC to try and upload a file to the server. I am using his code as-is.
When using JSF 2.2, the #{bean.save} was never reached, and the file was never saved.
The server's console showed nothing. But the js console showed this error:
Refused to display 'http://localhost:8080/my_app/hello.xhtml' in a frame because it set 'X-Frame-Options' to 'deny'.
jsf.js.xhtml?ln=javax.faces:1 Uncaught DOMException: Blocked a frame with origin "http://localhost:8080" from accessing a cross-origin frame.
at FrameTransport.callback (http://localhost:8080/my_app/javax.faces.resource/jsf.js.xhtml?ln=javax.faces:1:5109)
at HTMLIFrameElement.<anonymous> (http://localhost:8080/my_app/javax.faces.resource/jsf.js.xhtml?ln=javax.faces:1:5759)
I saw this answer which suggested it was a bug in JSF 2.2. So I uploaded to 2.3.
With JSF 2.3 the #{bean.save} is reached, and the file is successfully saved. But the js error remains, and I can't upload a second file.
Any ideas?
EDIT in case it helps: I don't know why, but after selecting the file to upload in the dialog, an <iframe> is added to my page somehow.
EDIT 2
BalusC and Selaron suggested I try to change the X-Frame-Options header to not 'DENY'. I tried adding a #WebFilter and setting the header there, like this:
public void doFilter(...)
{
HttpServletResponse response = (HttpServletResponse) res;
response.addHeader("X-Frame-Options", "sameorigin");
response.setHeader("MyHeader", "whatever");
chain.doFilter(req, res);
}
I added a second header MyHeader with value "whatever" to check if the response contained that header when getting to the browser.
Turns out MyHeader gets to the browser correctly, but X-Frame-Options still remains as 'DENY'.
As I'm using Spring Security, I figured maybe there was some other filter messing with my response?
So, I have this:
#Configuration
#EnableWebSecurity
public class BasicConfiguration extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
...
http.addFilterAfter(
new CustomFilter(), SwitchUserFilter.class);
...
}
}
My CustomFilter works as the previous one I showed: MyHeader remains, but X-Frame-Options does not.
I added it after SwitchUserFilter because the doc for HttpSecurity.addFilter says that is the last filter in the chain.
I am a bit lost now. My couple of questions:
Am I right to assume the X-Frame-Options header is getting overwritten by some other filter?
How could I ensure the X-Frame-Options I set remains? Or, how can I put my filter at the end of the chain?
I found this issue where the Mojarra team planned to Implement "ajax" file upload #2577 and the commit actually implementing it to the jsf javascript.
Madly the documentation on issue 2577 are not accessible anymore and thus it does not explain the background on why an iframe is needed here.
The first passage of this blog gives a brief explanation on why AJAX file upload is/was(?) not possible directly:
Ajax Style File Uploading using Hidden iFrame
by Viral Patel · November 18, 2008
File uploading using AJAX is not possible. AJAX doesn’t actually post
forms to the server, it sends selected data to the server in the form
of a POST or GET request. As javascript is not capable of grabbing the
file from the users machine and sending it to the server, it’s just
not possible with AJAX. You have to resort to regular old form submit.
If you have read/seen it somewhere, then it is not through AJAX. File
uploading occurs through an iframe in this case. You have to use a
iframe to upload the files. So, you can use iframe to asynchronous
upload (Like AJAX , but its not AJAX).
So finally your options are to either - as BalusC commented - relax your X-Frame-Options header setting or to change your upload to not use AJAX:
<h:form enctype="multipart/form-data">
<h:inputFile value="#{bean.file}" />
<h:commandButton value="upload" action="#{bean.save}"/>
</h:form>
Hello trying to figure out the Jsf (primefaces) and little that goes viz. Compiled war archive in maven try to run through the Glassfish, the server starts but in the beginning writing "Artifact qwe-1.0-SNAPSHOT.war: Server is not connected. Deploy is not available." But in the late writes "Artifact qwe-1.0-SNAPSHOT.war: Artifact is being deployed, please wait... Artifact is deployed successfully." It seems like everything is normal, then opened my page in the browser is empty although in my index.xhtm and my pom.xml and web.xml link pastebin
and should be a button with styles that are connected in primefaces tell me if I'm doing something wrong?
here's a screenshot of the result in the browser. link1
<p:button outcome="productDetail" value="Bookmark" icon="ui-icon-star"> targets you to the productDetail page. If you do not have productDetail.xhtml page at the currect path, the index.xhtml page cannot resolve NavigationCase for outcome. Thus, Create page productDetail.xhtml and put into the same directory of index.xhtml.
In addition, You should use JSF Standard tags(h:head, h:body).
We have a corporate website which has an iFrame within a page pointing to my XPage.
The problem I have is that the same XPage is also used in another iFrame (different page) and I need to clear some Scope variables on beforePageLoad event.
Using SSJS; how can I get the parent window url for my iFrame content?
Example:
Corporate page #1 = http://mycompany.com/training-courses
Corporate page #2 = http://mywebsite.com/training-ilo
Both pages have an iFrame pointing to http://dominoserver/myapp.nsf/xHome.xps
Unless your domino server domain is the same as the parent sites, you will not be able to access information from those pages.
Your best bet is to supply a url parameter to the src of the iframe:
<iframe src="http://dominoserver/myapp.nsf/xHome.xsp?site=xyz"></iframe>
Then, in your ssjs of your xpage you can grab the url information using the XSPUrl class:
var url : XSPUrl;
url = context.getUrl();
var site = url.getParameterName("site");
I used the same sample code Primefaces has in its web page:
<h:commandLink value="Excel">
<p:dataExporter type="xls" target="dataTable" fileName="boo" pageOnly="true"/>
</h:commandLink>
But does not work.
In Internet Explorer browser gives the following message:
Details of the errors of the web page Message: Unexpected call to
method or property access.
Nothing ever happens in Mozilla Firefox.
What might be happening?
javax.servlet.ServletException: org/apache/poi/ss/usermodel/RichTextString
Look further down in the stacktrace. I bet that the root cause is either a NoClassDefFoundError or ClassNotFoundException? In that case, this just means that you forgot to install Apache POI.
Download this Apache POI zip file, extract it, put poi-3.8-20120326.jar in /WEB-INF/lib folder and rebuild/redeploy/restart the webapp.
Try to to put this jar file.I show the link,because i solved this problem.
http://apache.mirrors.pair.com/poi/release/bin/poi-bin-3.9-20121203.zip
We have an application which uses JSF2 and Spring. The application works fine when deployed. But this happens if I went through the following steps:
Open the login page of the application.
Redeployed the application on the server.
Tried to login using the previously opened login page, and it shows the following exception:
javax.servlet.ServletException: null source
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:321)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
root cause
java.lang.IllegalArgumentException: null source
at java.util.EventObject.<init>(EventObject.java:38)
at javax.faces.event.SystemEvent.<init>(SystemEvent.java:67)
at javax.faces.event.ComponentSystemEvent.<init>(ComponentSystemEvent.java:69)
at javax.faces.event.PostRestoreStateEvent.<init>(PostRestoreStateEvent.java:69)
at com.sun.faces.lifecycle.RestoreViewPhase.deliverPostRestoreStateEvent(RestoreViewPhase.java:256)
at com.sun.faces.lifecycle.RestoreViewPhase.execute(RestoreViewPhase.java:245)
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:97)
at com.sun.faces.lifecycle.RestoreViewPhase.doPhase(RestoreViewPhase.java:107)
at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:114)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:308)
If I click on the first login page and then enter the login details the application does not break. This only occurs if I try to use the previously loaded login page with the newly deployed application.
Anyone knows the answer?
This one should have been thrown as a ViewExpiredException. It's a bug which started to manifest in Mojarra 2.0.3 and is been fixed in Mojarra 2.1.0. See also issue 1762 (note that Mojarra 2.1.0 doesn't work on Tomcat/Jetty, use at least Mojarra 2.1.1 then).
Basically, when Mojarra fails to build or restore the view, then it usually throws a specific enough exception, but due to this bug, a valid view was incorrectly been expected later in the code which in turn results in IllegalArgumentException: null source. The possible real cause would have been that the view contains a simple XML syntax error, such as a missing tag or broken attribute value, for which Mojarra would usually have thrown a FaceletException with a very detailed message with line number and position and such.
To prevent the ViewExpiredException, you would have to refresh the page by a GET request before doing any actions on it. If you're using a Mojarra version where this bug does not manifest (e.g. 2.0.2 or older, or 2.1.0 or newer), then you could gracefully handle it with an <error-page> in web.xml on the particular exception and provide a custom error page wherein the enduser is informed that the session has been expired, along with a link to the initial request URI.
This looks like http://java.net/jira/browse/JAVASERVERFACES-1758
which is not fixed in Mojarra 2.1.x
As long as javax.faces.PARTIAL_STATE_SAVING is set to false you'll receive that java.lang.IllegalArgumentException. If you set javax.faces.PARTIAL_STATE_SAVING to true (and you know what you are doing) you will get the "good old" javax.faces.application.ViewExpiredException back.
In my case turned out i had missing end tag in xhtml file for one of the jstl calls. i was using choose tag and one of the when tags in between choose did not have an end tag