PrettyFaces kills the session on every request that involves a redirect when the application is deployed on Wildfly 8.1.0.Final. The same app deploys and works properly on Wildfly 8.0.0.Final.
On 8.1.0 PrettyFaces appears to prevent the servlet stack from retreiving the session ID.
The log shows no exceptions in either case. The URL rewrites occur, but session information (including login information) is gone. This is my pretty-config.xml
<pretty-config xmlns="http://ocpsoft.org/schema/rewrite-config-prettyfaces"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://ocpsoft.org/schema/rewrite-config-prettyfaces
http://ocpsoft.org/xml/ns/prettyfaces/rewrite-config-prettyfaces.xsd">
<url-mapping id="user-settings">
<pattern value="/protected/user/settings/"/>
<view-id value="/protected/usersettings.xhtml"/>
</url-mapping>
<url-mapping id="thread-edit">
<pattern value="/protected/threads/edit/#{stitchId}/" />
<view-id value="/protected/threads/stitch.xhtml" />
<action>#{stitchEditBean.editStitchFromId(stitchId)}</action>
</url-mapping>
<url-mapping id="threads-index">
<pattern value="/protected/threads/" />
<view-id value="/protected/threads/index.xhtml" />
</url-mapping>
</pretty-config>
The failure occurs for both PrettyFaces 2.0.12.Final and 3.0.0.Alpha2
As Ken noted, the underlying problem is related to https://issues.jboss.org/browse/WFLY-3448
Adding an explicit cookie path to web.xml works around the issue and is safe.
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<!--
A bug in wildfly 8.1.0.final requires this path to be set explicitly or occasionally the default is
incorrect and the system will generate one cookie per directory incorrectly.
-->
<path>/</path>
</cookie-config>
</session-config>
You may have to manually clear the bad cookies in EACH directory of your app, or flush all your session cookies. Otherwise the old session cookies might hang around causing the issue.
This is a bug in WildFly 8.1.0, addressed here: https://issues.jboss.org/browse/WFLY-3448
After you are on a version that has that bug fixed, you will need to use Rewrite 3.0.0.Alpha3 or newer to resolve additional issues for handling the root context path.
Related
In our app with PrettyFaces 2.0.12.Final, we have our redirects set up in pretty-config.xml.
<url-mapping id="foo">
<pattern value="/foo/#{alias}" />
<view-id value="/foo.xhtml" />
</url-mapping>
We have a custom 404 page set up in our web.xml.
<error-page>
<error-code>404</error-code>
<location>/404.xhtml</location>
</error-page>
When a user receives a 404 Not Found error, for a foo "alias" that doesn't exist, they're redirected to "/404.xhtml", and the browser URL bar does not retain the offending address.
Is there a way maintain the URL of "/foo/aliasdoesnotexist" in the browser URL bar and still display the 404 page?
One way to handle this scenario is to handle the Exception in your application and perform an internal forward to the error page:
You can set up a PrettyFaces mapping for the 404 page:
<url-mapping id="foo">
<pattern value="/foo/#{alias}" />
<view-id value="/foo.xhtml" />
</url-mapping>
Then in your application code:
catch ( Exception e )
{
String contextName = FacesContext.getCurrentInstance().getExternalContext().getContextName();
FacesContext.getCurrentInstance().getExternalContext().dispatch(contextName + "/404");
}
If you want to catch the exception globally, you'll need to create a servlet filter to do this. See the following topic for how to create a filter that catches all exceptions:
how do I catch errors globally, log them and show user an error page in J2EE app
Hope this helps!
~Lincoln
I have JSF 2.2 application deployed on glassfish.
I wan't to beautify the URL
http://MyWebsite/test/SOMEFOLDER/login.xhtml
to be
http://MyWebsite/test/login.xhtml
I am using pretty faces using the follow configuration
<url-mapping id="login">
<pattern value="/login.xhtml" />
<view-id value="/SOMEFOLDER/login.xhtml" />
<!-- Non JSF View Id -->
</url-mapping>
I am not adding anything in the web.xml
I am having problems trying to use the <p:captcha>. I am getting the following error in FireFox v34.0.5:
Blocked loading mixed active content "http://www.google.com/recaptcha/api/challenge?k=xxxxxxxxxxxxxxxxxxxxxxxxx"
The check button is showing but not the captcha image
My applications is hosted in a secure (HTTPS) server but seems the captcha is connecting to a non secure server using HTTP
This is my web.xml file:
<context-param>
<param-name>primefaces.PUBLIC_CAPTCHA_KEY</param-name>
<param-value><xxxxx_recaptcha_generated_public_captcha_key></param-value>
</context-param>
<context-param>
<param-name>primefaces.PRIVATE_CAPTCHA_KEY</param-name>
<param-value><xxxxx_recaptcha_generated_private_captcha_key></param-value>
</context-param>
And my view file (forgottenOPassword.xhtml):
<p:captcha label="Captcha" rendered="#{passBB.showCaptcha}"/>
<p:commandButton actionListener="#{passBB.verifyCaptcha}"
ajax="false"
icon="ui-icon-check"
rendered="#{passBB.showCaptcha}"
value="Check"/>
Set the secure attribute of <p:captcha> to true. See also VDL documentation: "Enables https support".
<p:captcha ... secure="true" />
Or if you'd like to let it depend on the current request (e.g. when you've 2 versions of the webapp and the captcha is placed in some reusable tagfile/component), then check HttpServletRequest#isSecure() instead:
<p:captcha ... secure="#{request.secure}" />
Either way, if it evaluates to true, then the CaptchaRenderer will use https instead of http.
I have created a web application using JSF 2.0. I got feedback from my friend saying I should do "Browser Caching" as I have many images.
However I don't know how to do same in JSF. Any idea/ hint would be appreciated.
Concept on what to be done would also work.
Just use <h:graphicImage name="..."> instead of <img src="...">. This way the default JSF resource handler will instruct the browser to cache them for 1 week by default, which is configureable with an implementation dependent context parameter, which is the following in case of Mojarra:
<context-param>
<param-name>com.sun.faces.defaultResourceMaxAge</param-name>
<param-value>3628800000</param-value> <!-- 6 weeks -->
</context-param>
Note, the same applies when using <h:outputScript> and <h:outputStylesheet> instead of <script> and <link rel="stylesheet">.
I'm using tomcat 6, spring mvc 3.0.0 and spring security 3.0.0, and since the passwords I store in the database are sha1 hashed, I can't use digest authentication (section 9.2.1 of the documentation spells that out). For this reason, I need to make authentication happen through https.
Due to potential processing overhead, I want to keep as much of the traffic in regular http as possible. Is there a way I can make spring use https for unathenticated requests, then use http once authentication is done? I think this is done with a ChannelProcessingFilter of some sort, but I'm stumped as to the particulars.
Here's my application-security.xml file as it currently stands:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()" />
<http-basic />
</http>
<authentication-manager>
<authentication-provider user-service-ref="myUserDetailsService">
<password-encoder hash="sha"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="myUserDetailsService"
class="path.to.myUserDetailsServiceImpl">
</beans:bean>
</beans:beans>
Thanks for the help.
If at any point you pass a session id over HTTP you are violating OWASP A9. An attacker doesn't need the password if he has the session id. I would not implement this feature in your application, https is very light weight and I think you should look into saving resources in places that doesn't mean that your clients will be hacked.
Not sure exactly how to do it using Spring MVC but I did accomplish this using Grails with Spring Security 3...if you are interested you can see my blog post here.
Because that will not really help you...I did a quick google search and found this post which looks correct and says to configure your web.xml:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext-security.xml
</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
and your applicationContext-security.xml as such:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
<http>
<intercept-url pattern="/url1.htm"
access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https" />
<intercept-url pattern="/url2.htm"
access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https" />
<intercept-url pattern="/**"
access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="http" />
<anonymous />
<http-basic/>
</http>
<!-- This bean is optional; it isn't used by any other bean as it only listens and logs -->
<beans:bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener"/>
</beans:beans>
Also take a look at this site for more info and how to configure tomcats SSL connector.