-
1. Re: seam token tag problem (CSRF)
dcernahoschi Dec 6, 2009 10:22 PM (in response to dcernahoschi)here is the stacktrace:
org.jboss.seam.ui.UnauthorizedCommandException: viewId: /restricted/desktop.xhtml - Form signature invalid
at org.jboss.seam.ui.renderkit.TokenRendererBase.doDecode(TokenRendererBase.java:110)
at org.jboss.seam.ui.util.cdk.RendererBase.decode(RendererBase.java:59)
at javax.faces.component.UIComponentBase.decode(UIComponentBase.java:789)
at javax.faces.component.UIComponentBase.processDecodes(UIComponentBase.java:1031)
at javax.faces.component.UIForm.processDecodes(UIForm.java:209)
at org.ajax4jsf.component.AjaxViewRoot$1.invokeContextCallback(AjaxViewRoot.java:392)
at org.ajax4jsf.component.AjaxViewRoot.processPhase(AjaxViewRoot.java:238)
at org.ajax4jsf.component.AjaxViewRoot.processDecodes(AjaxViewRoot.java:409)
at com.sun.faces.lifecycle.ApplyRequestValuesPhase.execute(ApplyRequestValuesPhase.java:78)
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)
at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:638)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:444)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:382)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:310)
at org.jboss.seam.web.RewriteFilter.process(RewriteFilter.java:98)
at org.jboss.seam.web.RewriteFilter.doFilter(RewriteFilter.java:57)
at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:73)
at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:178)
at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:368)
at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:495)
at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619) -
2. Re: seam token tag problem (CSRF)
dcernahoschi Dec 6, 2009 10:24 PM (in response to dcernahoschi)I also get another exception when dispaying a page that contains a form with a token tag:
java.lang.NullPointerException
at org.jboss.seam.ui.renderkit.TokenRendererBase.generateViewSignature(TokenRendererBase.java:177)
at org.jboss.seam.ui.renderkit.TokenRendererBase.doDecode(TokenRendererBase.java:108)
at org.jboss.seam.ui.util.cdk.RendererBase.decode(RendererBase.java:59)
at javax.faces.component.UIComponentBase.decode(UIComponentBase.java:789)
at javax.faces.component.UIComponentBase.processDecodes(UIComponentBase.java:1031)
at javax.faces.component.UIForm.processDecodes(UIForm.java:209)
at org.ajax4jsf.component.AjaxViewRoot$1.invokeContextCallback(AjaxViewRoot.java:392)
at org.ajax4jsf.component.AjaxViewRoot.processPhase(AjaxViewRoot.java:238)
at org.ajax4jsf.component.AjaxViewRoot.processDecodes(AjaxViewRoot.java:409)
at com.sun.faces.lifecycle.ApplyRequestValuesPhase.execute(ApplyRequestValuesPhase.java:78)
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)
at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:638)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:444)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:382)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:310)
at org.jboss.seam.web.RewriteFilter.process(RewriteFilter.java:98)
at org.jboss.seam.web.RewriteFilter.doFilter(RewriteFilter.java:57)
at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:73)
at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:178)
at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:368)
at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:495)
at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619) -
3. Re: seam token tag problem (CSRF)
jrd.andrzej.jordanow.gmail.com Dec 7, 2009 2:55 PM (in response to dcernahoschi)I suspect the problem is in s:token implementation itself - there is org.jboss.seam.ui.ClientUidSelector class which has seed() method that generates cookie value (clientUid) for the token tag:
public void seed() { if (!isSet()) { clientUid = RandomStringUtils.randomAscii(50); setCookieValueIfEnabled(clientUid); } }
Unfortunately randomAscii sometimes generates semicolon (;) characted that (when generated) truncates cookie value (in general - semicolon is a special character in http cookie - it ends name/value pair inside cookie header). You could replace it with i.e. clientUid = RandomStringUtils.random(50, true, true); and copy-paste lot of related classes or fill a bug report.
-
4. Re: seam token tag problem (CSRF)
dcernahoschi Dec 9, 2009 8:29 PM (in response to dcernahoschi)Yeap. It seems that patching the org.jboss.seam.ui.ClientUidSelector class solves the problem. Thank you!
I've created a JIRA bug: https://jira.jboss.org/jira/browse/JBSEAM-4503
-
5. Re: seam token tag problem (CSRF)
gecko Dec 15, 2009 10:26 AM (in response to dcernahoschi)Unless that issue isn't fixed put the class below in your webapps classpath:
@Name("org.jboss.seam.ui.clientUidSelector")
@Install(precedence = Install.DEPLOYMENT)
public class FixedClientUidSelector extends ClientUidSelector {
private static final long serialVersionUID = -4923235748771706010L;
private String clientUid;
@Create
public void onCreate() {
setCookiePath(FacesContext.getCurrentInstance().getExternalContext().getRequestContextPath());
setCookieMaxAge(-1);
setCookieEnabled(true);
clientUid = getCookieValue();
}
public void seed() {
if (!isSet()) {
clientUid = RandomStringUtils.random(50, true, true); // Fixed
setCookieValueIfEnabled(clientUid);
}
}
public boolean isSet() {
return clientUid != null;
}
public String getClientUid() {
return clientUid;
}
@Override
protected String getCookieName() {
return "javax.faces.ClientToken";
}
} -
6. Re: seam token tag problem (CSRF)
okianl Jul 14, 2010 10:05 AM (in response to dcernahoschi)Thanks for sharing that with us. It works great!
Lucian
-
7. Re: seam token tag problem (CSRF)
bdill Aug 26, 2010 4:51 PM (in response to dcernahoschi)If you have problems getting this to work in IE, check the bug filed here. Setting the cookie path to empty will cause some versions of IE to not accept the cookie and will produce
No
error or an UnauthorizedCommandException.
client identifier provided. -
8. Re: seam token tag problem (CSRF)
npquang_uns Mar 19, 2013 6:45 AM (in response to gecko)Hi all,
I use jboss-seam 2.2.1 and meet this issue also.
I try with the provided class but meet another exeception.
Caused by: java.lang.ClassCastException: FixedClientUidSelector_$$_javassist_seam_13 cannot be cast to org.jboss.seam.ui.ClientUidSelector
at org.jboss.seam.ui.component.UIToken.getClientUidSelector(UIToken.java:108)
at org.jboss.seam.ui.renderkit.TokenRendererBase.writeCookieCheckScript(TokenRendererBase.java:161)
at org.jboss.seam.ui.renderkit.TokenRendererBase.doEncodeBegin(TokenRendererBase.java:144)
at org.jboss.seam.ui.util.cdk.RendererBase.encodeBegin(RendererBase.java:79)
at javax.faces.component.UIComponentBase.encodeBegin(UIComponentBase.java:813)
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:934)
at javax.faces.render.Renderer.encodeChildren(Renderer.java:148)
at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:837)
at org.ajax4jsf.renderkit.RendererBase.renderChild(RendererBase.java:277)
at org.richfaces.renderkit.html.ToolBarGroupRenderer.renderChild(ToolBarGroupRenderer.java:74)
at org.richfaces.renderkit.html.ToolBarGroupRenderer.encodeChildren(ToolBarGroupRenderer.java:56)
at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:837)
at org.ajax4jsf.renderkit.RendererBase.renderChild(RendererBase.java:277)
at org.richfaces.renderkit.html.ToolBarRendererBase.encodeChildren(ToolBarRendererBase.java:118)
at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:837)
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:936)
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:942)
at com.sun.facelets.FaceletViewHandler.renderView(FaceletViewHandler.java:592)
at org.ajax4jsf.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:100)
at org.ajax4jsf.application.AjaxViewHandler.renderView(AjaxViewHandler.java:176)
at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:109)
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)
at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:266)
Class FixedClientUidSelector DO EXTENDS from org.jboss.seam.ui.ClientUidSelector class.
Any help is appreciated.
Thanks,
Quang
-
9. Re: seam token tag problem (CSRF)
npquang_uns Mar 20, 2013 6:52 AM (in response to npquang_uns)It's due to the class org.jboss.seam.ui.ClientUidSelector is loaded twice with different location.
I just remove the redundant and it works.