In our app with PrettyFaces 2.0.12.Final, we have our redirects set up in pretty-config.xml.
<url-mapping id="foo">
<pattern value="/foo/#{alias}" />
<view-id value="/foo.xhtml" />
</url-mapping>
We have a custom 404 page set up in our web.xml.
<error-page>
<error-code>404</error-code>
<location>/404.xhtml</location>
</error-page>
When a user receives a 404 Not Found error, for a foo "alias" that doesn't exist, they're redirected to "/404.xhtml", and the browser URL bar does not retain the offending address.
Is there a way maintain the URL of "/foo/aliasdoesnotexist" in the browser URL bar and still display the 404 page?
One way to handle this scenario is to handle the Exception in your application and perform an internal forward to the error page:
You can set up a PrettyFaces mapping for the 404 page:
<url-mapping id="foo">
<pattern value="/foo/#{alias}" />
<view-id value="/foo.xhtml" />
</url-mapping>
Then in your application code:
catch ( Exception e )
{
String contextName = FacesContext.getCurrentInstance().getExternalContext().getContextName();
FacesContext.getCurrentInstance().getExternalContext().dispatch(contextName + "/404");
}
If you want to catch the exception globally, you'll need to create a servlet filter to do this. See the following topic for how to create a filter that catches all exceptions:
how do I catch errors globally, log them and show user an error page in J2EE app
Hope this helps!
~Lincoln
Related
I am working on a JSF application which redirect to another application then do some processing there and redirect back. Issue is when I use JSF application URL as
http://172.20.1.175:8080/app_path/page.xhtml
and redirect back to the URL,
http://172.20.1.175:8080/app_path/page1.xhtml
then I am getting xml page on the browser like following
<partial-response>
<changes>
<update id="javax.faces.ViewState">
<![CDATA[
-------
]]>
<![CDATA[
--------
]]>
</update>
</changes>
</partial-response>
but if I use http://localhost:8080/app_path/page.xhtml and redirect back to the URL http://172.20.1.175:8080/app_path/page1.xhtml it's working fine (172.20.1.175 is my IP address). I am using spring security for authorization.
I am trying to figure out the reason for this behavior. Any ideas?
Thanks,
Lakmal
I am having problems trying to use the <p:captcha>. I am getting the following error in FireFox v34.0.5:
Blocked loading mixed active content "http://www.google.com/recaptcha/api/challenge?k=xxxxxxxxxxxxxxxxxxxxxxxxx"
The check button is showing but not the captcha image
My applications is hosted in a secure (HTTPS) server but seems the captcha is connecting to a non secure server using HTTP
This is my web.xml file:
<context-param>
<param-name>primefaces.PUBLIC_CAPTCHA_KEY</param-name>
<param-value><xxxxx_recaptcha_generated_public_captcha_key></param-value>
</context-param>
<context-param>
<param-name>primefaces.PRIVATE_CAPTCHA_KEY</param-name>
<param-value><xxxxx_recaptcha_generated_private_captcha_key></param-value>
</context-param>
And my view file (forgottenOPassword.xhtml):
<p:captcha label="Captcha" rendered="#{passBB.showCaptcha}"/>
<p:commandButton actionListener="#{passBB.verifyCaptcha}"
ajax="false"
icon="ui-icon-check"
rendered="#{passBB.showCaptcha}"
value="Check"/>
Set the secure attribute of <p:captcha> to true. See also VDL documentation: "Enables https support".
<p:captcha ... secure="true" />
Or if you'd like to let it depend on the current request (e.g. when you've 2 versions of the webapp and the captcha is placed in some reusable tagfile/component), then check HttpServletRequest#isSecure() instead:
<p:captcha ... secure="#{request.secure}" />
Either way, if it evaluates to true, then the CaptchaRenderer will use https instead of http.
PrettyFaces kills the session on every request that involves a redirect when the application is deployed on Wildfly 8.1.0.Final. The same app deploys and works properly on Wildfly 8.0.0.Final.
On 8.1.0 PrettyFaces appears to prevent the servlet stack from retreiving the session ID.
The log shows no exceptions in either case. The URL rewrites occur, but session information (including login information) is gone. This is my pretty-config.xml
<pretty-config xmlns="http://ocpsoft.org/schema/rewrite-config-prettyfaces"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://ocpsoft.org/schema/rewrite-config-prettyfaces
http://ocpsoft.org/xml/ns/prettyfaces/rewrite-config-prettyfaces.xsd">
<url-mapping id="user-settings">
<pattern value="/protected/user/settings/"/>
<view-id value="/protected/usersettings.xhtml"/>
</url-mapping>
<url-mapping id="thread-edit">
<pattern value="/protected/threads/edit/#{stitchId}/" />
<view-id value="/protected/threads/stitch.xhtml" />
<action>#{stitchEditBean.editStitchFromId(stitchId)}</action>
</url-mapping>
<url-mapping id="threads-index">
<pattern value="/protected/threads/" />
<view-id value="/protected/threads/index.xhtml" />
</url-mapping>
</pretty-config>
The failure occurs for both PrettyFaces 2.0.12.Final and 3.0.0.Alpha2
As Ken noted, the underlying problem is related to https://issues.jboss.org/browse/WFLY-3448
Adding an explicit cookie path to web.xml works around the issue and is safe.
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<!--
A bug in wildfly 8.1.0.final requires this path to be set explicitly or occasionally the default is
incorrect and the system will generate one cookie per directory incorrectly.
-->
<path>/</path>
</cookie-config>
</session-config>
You may have to manually clear the bad cookies in EACH directory of your app, or flush all your session cookies. Otherwise the old session cookies might hang around causing the issue.
This is a bug in WildFly 8.1.0, addressed here: https://issues.jboss.org/browse/WFLY-3448
After you are on a version that has that bug fixed, you will need to use Rewrite 3.0.0.Alpha3 or newer to resolve additional issues for handling the root context path.
I have implemented Omnifaces FullAjaxExceptionHandler but the problem is It is not working with ajax requests. After session expires when I click to non-ajax button, It works well. It redirects user to custom error page. But if the button uses ajax, It doesn't do anything. Page just stucks.
Edit: I have changed ActionListener to Action and still same.
Edit2: It gives no error. Neither Apache Tomcat output nor Apache Tomcat Log.
here is my spring security;
<http auto-config='true' use-expressions="true">
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/ajaxErrorPage" access="permitAll"/>
<intercept-url pattern="/pages/*" access="hasRole('admin')" />
<intercept-url pattern="/j_spring_security_check" access="permitAll"/>
<logout logout-success-url="/login.xhtml" />
<form-login login-page="/login.xhtml"
login-processing-url="/j_spring_security_check"
default-target-url="/pages/index.xhtml"
always-use-default-target="true"
authentication-failure-url="/login.xhtml"/>
</http>
You're sending a synchronous redirect as a response to the ajax request (a HTTP 302 response using e.g. response.sendRedirect()). This is not right. The JavaScript ajax engine treats the 302 response as a new destination to re-send the ajax request to. However, that in turn returns a plain vanilla HTML page instead of a XML document with instructions which parts of the page to update. This is confusing and thus the redirected response is altogether ignored. That explains precisely the symptoms you're facing.
The very same problem is also asked and answered in the following closely related questions:
FullAjaxExceptionHandler does not redirect to error page after invalidated session
How to move user to timeout page when session expires, if user click on browser back button
GET request for redirect initiated by browser but not successful
Authorization redirect on session expiration does not work on submitting a JSF form, page stays the same
JSF Filter not redirecting After Initial Redirect
Basically, you need to instruct Spring Security in some way to perform the following conditional check:
if ("partial/ajax".equals(request.getHeader("Faces-Request"))) {
// JSF ajax request. Return special XML response which instructs JavaScript that it should in turn perform a redirect.
response.setContentType("text/xml");
response.getWriter()
.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>")
.printf("<partial-response><redirect url=\"%s\"></redirect></partial-response>", loginURL);
} else {
// Normal request. Perform redirect as usual.
response.sendRedirect(loginURL);
}
I'm however no Spring user and I'm not interested to use it, and am therefore not able to give a more detailed answer how to perform this check in Spring Security. I can however tell that Apache Shiro has exactly the same problem which is explained and solved in this blog article: Make Shiro JSF Ajax Aware.
In file spring-security (en el archivo de Spring Security)
<beans:bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>
<!-- redirection strategy -->
<beans:bean id="jsfRedirectStrategy" class="com.mycompany.JsfRedirectStrategy">
<beans:property name="invalidSessionUrl" value="/login.xhtml" />
</beans:bean>
<beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
<beans:constructor-arg name="securityContextRepository" ref="httpSessionSecurityContextRepository" />
<beans:property name="invalidSessionStrategy" ref="jsfRedirectStrategy" />
</beans:bean>
<http auto-config='true' use-expressions="true">
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/ajaxErrorPage" access="permitAll"/>
<intercept-url pattern="/pages/*" access="hasRole('admin')" />
<intercept-url pattern="/j_spring_security_check" access="permitAll"/>
<logout logout-success-url="/login.xhtml" />
<form-login login-page="/login.xhtml"
login-processing-url="/j_spring_security_check"
default-target-url="/pages/index.xhtml"
always-use-default-target="true"
authentication-failure-url="/login.xhtml"/>
<!-- custom filter -->
<custom-filter ref="sessionManagementFilter" before="SESSION_MANAGEMENT_FILTER" />
</http>
The custom redirectStrategy (La estrategia de redirección personalizada)
public class JsfRedirectStrategy implements InvalidSessionStrategy
{
private static final String FACES_REQUEST = "Faces-Request";
private String invalidSessionUrl;
public void setInvalidSessionUrl(String invalidSessionUrl) {
this.invalidSessionUrl = invalidSessionUrl;
}
public String getInvalidSessionUrl() {
return invalidSessionUrl;
}
#Override
public void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
String contextPath = request.getContextPath();
String urlFinal = contextPath+invalidSessionUrl;
if ("partial/ajax".equals(request.getHeader(FACES_REQUEST))) {
// with ajax
response.setContentType("text/xml");
response.getWriter()
.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>")
.printf("<partial-response><redirect url=\"%s\"></redirect></partial-response>", urlFinal);
} else {
// not ajax
request.getSession(true);
response.sendRedirect(urlFinal);
}
}
work for me.
I am having issues with the Omnifaces FullAjaxExceptionHandler (http://showcase.omnifaces.org/exceptionhandlers/FullAjaxExceptionHandler). It does not redirect to the specified error page after the session is invalidated.
I have the following in my faces-config:
<factory>
<exception-handler-factory>org.omnifaces.exceptionhandler.FullAjaxExceptionHandlerFactory</exception-handler-factory>
</factory>
And the following in my web.xml:
<error-page>
<exception-type>javax.faces.application.ViewExpiredException</exception-type>
<location>/pages/error/viewExpired.html</location>
</error-page>
After I invalidate the session, from a user's perspective nothing seems to happen. The application is just 'dead'. In my console I see the following Ajax request:
A POST to the original facelet page with a response code of 302
a GET to the login page with a code 200 (but nothing happens because it's requested via Ajax)
I am running MyFaces 2.1.10, Primefaces 3.5, Primefaces Extension 0.6.3 & Omnifaces 1.4.1 on WebLogic 12c
Could anyone help me in the right direction? How do I get the FullAjaxExeptionHandler to work properly?
Thanks
A POST to the original facelet page with a response code of 302
This is not right. A redirect on a JSF ajax request must have a response code of 200 with a special XML response with a <redirect> element with target URL in its url attribute.
This thus indicates that you manually used HttpServletResponse#sendRedirect() somewhere long before JSF has the chance to deal with ViewExpiredException.
Perhaps you've somewhere a servlet filter which checks some session attribute and sends a redirect based on its presence/state? That filter should then be manipulated based on the following answer: JSF Filter not redirecting After Initial Redirect in order to recognize JSF ajax requests and return a special XML response instead of a 302 response.
E.g.
if ("partial/ajax".equals(request.getHeader("Faces-Request"))) {
response.setContentType("text/xml");
response.getWriter()
.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>")
.printf("<partial-response><redirect url=\"%s\"></redirect></partial-response>", loginURL);
} else {
response.sendRedirect(loginURL);
}
This all is completely unrelated to the FullAjaxExceptionHandler. JSF didn't have any chance to throw a ViewExpiredException because you're already sending a redirect yourself beforehand.