9 Replies Latest reply on Mar 20, 2013 6:52 AM by npquang_uns

    seam token tag problem (CSRF)

    dcernahoschi

      Did somebody try the new

      <s:token>

      tag?


      Sometimes I get UnauthorizedCommandException, expecially when first submiting a form after restarting the browser.


      <s:token enableCookieNotice="true"/>
      



      Did I missed something?

        • 1. Re: seam token tag problem (CSRF)
          dcernahoschi

          here is the stacktrace:


          org.jboss.seam.ui.UnauthorizedCommandException: viewId: /restricted/desktop.xhtml - Form signature invalid
               at org.jboss.seam.ui.renderkit.TokenRendererBase.doDecode(TokenRendererBase.java:110)
               at org.jboss.seam.ui.util.cdk.RendererBase.decode(RendererBase.java:59)
               at javax.faces.component.UIComponentBase.decode(UIComponentBase.java:789)
               at javax.faces.component.UIComponentBase.processDecodes(UIComponentBase.java:1031)
               at javax.faces.component.UIForm.processDecodes(UIForm.java:209)
               at org.ajax4jsf.component.AjaxViewRoot$1.invokeContextCallback(AjaxViewRoot.java:392)
               at org.ajax4jsf.component.AjaxViewRoot.processPhase(AjaxViewRoot.java:238)
               at org.ajax4jsf.component.AjaxViewRoot.processDecodes(AjaxViewRoot.java:409)
               at com.sun.faces.lifecycle.ApplyRequestValuesPhase.execute(ApplyRequestValuesPhase.java:78)
               at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)
               at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
               at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
               at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
               at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
               at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:638)
               at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:444)
               at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:382)
               at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:310)
               at org.jboss.seam.web.RewriteFilter.process(RewriteFilter.java:98)
               at org.jboss.seam.web.RewriteFilter.doFilter(RewriteFilter.java:57)
               at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
               at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
               at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
               at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
               at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
               at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
               at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
               at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
               at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
               at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:73)
               at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:178)
               at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
               at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:368)
               at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:495)
               at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
               at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
               at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
               at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
               at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
               at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
               at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
               at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
               at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
               at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
               at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
               at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
               at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
               at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
               at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
               at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
               at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
               at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
               at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
               at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
               at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
               at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
               at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
               at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
               at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
               at java.lang.Thread.run(Thread.java:619)

          • 2. Re: seam token tag problem (CSRF)
            dcernahoschi

            I also get another exception when dispaying a page that contains a form with a token tag:


            java.lang.NullPointerException
                 at org.jboss.seam.ui.renderkit.TokenRendererBase.generateViewSignature(TokenRendererBase.java:177)
                 at org.jboss.seam.ui.renderkit.TokenRendererBase.doDecode(TokenRendererBase.java:108)
                 at org.jboss.seam.ui.util.cdk.RendererBase.decode(RendererBase.java:59)
                 at javax.faces.component.UIComponentBase.decode(UIComponentBase.java:789)
                 at javax.faces.component.UIComponentBase.processDecodes(UIComponentBase.java:1031)
                 at javax.faces.component.UIForm.processDecodes(UIForm.java:209)
                 at org.ajax4jsf.component.AjaxViewRoot$1.invokeContextCallback(AjaxViewRoot.java:392)
                 at org.ajax4jsf.component.AjaxViewRoot.processPhase(AjaxViewRoot.java:238)
                 at org.ajax4jsf.component.AjaxViewRoot.processDecodes(AjaxViewRoot.java:409)
                 at com.sun.faces.lifecycle.ApplyRequestValuesPhase.execute(ApplyRequestValuesPhase.java:78)
                 at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)
                 at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
                 at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
                 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
                 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                 at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:638)
                 at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:444)
                 at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:382)
                 at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:310)
                 at org.jboss.seam.web.RewriteFilter.process(RewriteFilter.java:98)
                 at org.jboss.seam.web.RewriteFilter.doFilter(RewriteFilter.java:57)
                 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                 at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
                 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                 at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
                 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                 at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
                 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                 at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
                 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:73)
                 at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:178)
                 at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
                 at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:368)
                 at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:495)
                 at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
                 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                 at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
                 at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
                 at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
                 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
                 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                 at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
                 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
                 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
                 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
                 at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
                 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
                 at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
                 at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
                 at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
                 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
                 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
                 at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
                 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
                 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
                 at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
                 at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
                 at java.lang.Thread.run(Thread.java:619)


            • 3. Re: seam token tag problem (CSRF)
              jrd.andrzej.jordanow.gmail.com

              I suspect the problem is in s:token implementation itself - there is org.jboss.seam.ui.ClientUidSelector class which has seed() method that generates cookie value (clientUid) for the token tag:


              public void seed()
                 {
                    if (!isSet()) {
                       clientUid = RandomStringUtils.randomAscii(50);
                       setCookieValueIfEnabled(clientUid);
                    }
                 }
              



              Unfortunately randomAscii sometimes generates semicolon (;) characted that (when generated) truncates cookie value (in general - semicolon is a special character in http cookie - it ends name/value pair inside cookie header). You could replace it with i.e. clientUid = RandomStringUtils.random(50, true, true); and copy-paste lot of related classes or fill a bug report. 

              • 4. Re: seam token tag problem (CSRF)
                dcernahoschi

                Yeap. It seems that patching the org.jboss.seam.ui.ClientUidSelector class solves the problem. Thank you!


                I've created a JIRA bug: https://jira.jboss.org/jira/browse/JBSEAM-4503

                • 5. Re: seam token tag problem (CSRF)
                  gecko
                  Unless that issue isn't fixed put the class below in your webapps classpath:


                  @Name("org.jboss.seam.ui.clientUidSelector")
                  @Install(precedence = Install.DEPLOYMENT)
                  public class FixedClientUidSelector extends ClientUidSelector {

                       private static final long serialVersionUID = -4923235748771706010L;
                       private String clientUid;

                       @Create
                       public void onCreate() {
                            setCookiePath(FacesContext.getCurrentInstance().getExternalContext().getRequestContextPath());
                            setCookieMaxAge(-1);
                            setCookieEnabled(true);
                            clientUid = getCookieValue();
                       }

                       public void seed() {
                            if (!isSet()) {

                                 clientUid = RandomStringUtils.random(50, true, true); // Fixed
                                 setCookieValueIfEnabled(clientUid);
                            }
                       }

                       public boolean isSet() {
                            return clientUid != null;
                       }

                       public String getClientUid() {
                            return clientUid;
                       }

                       @Override
                       protected String getCookieName() {
                            return "javax.faces.ClientToken";
                       }

                  }
                  • 6. Re: seam token tag problem (CSRF)
                    okianl

                    Thanks for sharing that with us. It works great!


                    Lucian

                    • 7. Re: seam token tag problem (CSRF)
                      bdill

                      If you have problems getting this to work in IE, check the bug filed here. Setting the cookie path to empty will cause some versions of IE to not accept the cookie and will produce No
                      client identifier provided.
                      error or an UnauthorizedCommandException.

                      • 8. Re: seam token tag problem (CSRF)
                        npquang_uns

                        Hi all,

                         

                        I use jboss-seam 2.2.1 and meet this issue also.

                        I try with the provided class but meet another exeception.

                         

                        Caused by: java.lang.ClassCastException: FixedClientUidSelector_$$_javassist_seam_13 cannot be cast to org.jboss.seam.ui.ClientUidSelector

                                  at org.jboss.seam.ui.component.UIToken.getClientUidSelector(UIToken.java:108)

                                  at org.jboss.seam.ui.renderkit.TokenRendererBase.writeCookieCheckScript(TokenRendererBase.java:161)

                                  at org.jboss.seam.ui.renderkit.TokenRendererBase.doEncodeBegin(TokenRendererBase.java:144)

                                  at org.jboss.seam.ui.util.cdk.RendererBase.encodeBegin(RendererBase.java:79)

                                  at javax.faces.component.UIComponentBase.encodeBegin(UIComponentBase.java:813)

                                  at javax.faces.component.UIComponent.encodeAll(UIComponent.java:934)

                                  at javax.faces.render.Renderer.encodeChildren(Renderer.java:148)

                                  at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:837)

                                  at org.ajax4jsf.renderkit.RendererBase.renderChild(RendererBase.java:277)

                                  at org.richfaces.renderkit.html.ToolBarGroupRenderer.renderChild(ToolBarGroupRenderer.java:74)

                                  at org.richfaces.renderkit.html.ToolBarGroupRenderer.encodeChildren(ToolBarGroupRenderer.java:56)

                                  at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:837)

                                  at org.ajax4jsf.renderkit.RendererBase.renderChild(RendererBase.java:277)

                                  at org.richfaces.renderkit.html.ToolBarRendererBase.encodeChildren(ToolBarRendererBase.java:118)

                                  at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:837)

                                  at javax.faces.component.UIComponent.encodeAll(UIComponent.java:936)

                                  at javax.faces.component.UIComponent.encodeAll(UIComponent.java:942)

                                  at com.sun.facelets.FaceletViewHandler.renderView(FaceletViewHandler.java:592)

                                  at org.ajax4jsf.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:100)

                                  at org.ajax4jsf.application.AjaxViewHandler.renderView(AjaxViewHandler.java:176)

                                  at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:109)

                                  at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)

                                  at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139)

                                  at javax.faces.webapp.FacesServlet.service(FacesServlet.java:266)

                         

                        Class FixedClientUidSelector DO EXTENDS from org.jboss.seam.ui.ClientUidSelector class.

                         

                        Any help is appreciated.

                         

                        Thanks,

                        Quang

                        • 9. Re: seam token tag problem (CSRF)
                          npquang_uns

                          It's due to the class org.jboss.seam.ui.ClientUidSelector is loaded twice with different location.

                          I just remove the redundant and it works.