2 Replies Latest reply on Jul 30, 2013 7:09 AM by mp911de

    EAP 6.1 JSF2+Servlet+Form based login breaks security

    mp911de
    mp911de Jul 30, 2013 6:50 AM

      Hi there,

      I noticed today, as soon as I use JSF2-Pages (xhtml) for Form-Based login and trying to access a servlet though JSF2, security is ignored for the servlet behind.

       

      One of the servlets (every servlet is affected):

       

      @WebServlet(urlPatterns = {
          "/init"
})
public class ContextInitServlet extends HttpServlet {

       

       

      web.xml

       

         <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>/faces/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.xhtml</url-pattern>
    </servlet-mapping>


   <security-constraint>
        <web-resource-collection>
            <web-resource-name>protected-resources</web-resource-name>
            <url-pattern>/ui/*</url-pattern>
            <url-pattern>/faces/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>


    <login-config>
        <auth-method>SPNEGO</auth-method>
        <realm-name>SPNEGO</realm-name>
        <form-login-config>
            <form-login-page>/login/login.xhtml</form-login-page>
            <form-error-page>/login/error.xhtml</form-error-page>
        </form-login-config>
    </login-config>

       

       

      GET http://localhost:8080/myapp/faces/init

       

      leads to a successful request without any authentication. Any servlet within my app can be accessed that way.

       

       

      Currently my workaround is

       

       

                if (SecurityContextAssociation.getSubject() == null) {
                    FacesContext.getCurrentInstance().getApplication().getNavigationHandler()
                                        .handleNavigation(FacesContext.getCurrentInstance(), "", "/login/login.xhtml");
                    return;
          }

       

      within the Servlet.

       

       

      Is this a JBoss Web issue or is this a Mojarra problem?

       

       

      Used Software:

      • JBoss AS 7.2 (EAP 6.1)
      • Bundled Mojarra 2.1.19-redhat-1
      • RichFaces 4.3.3.Final
      • SPNEGO (Kerberos SSO) 2.2.5.Final-redhat-1

       

       

      Thanks and best regards,

      Mark

        • 1. Re: EAP 6.1 JSF2+Servlet+Form based login breaks security
          jaikiran
          jaikiran Jul 30, 2013 7:05 AM (in response to mp911de)

          I don't understand. The servlet is mapped to "/init" and you are accessing "/faces/init". Irrespective of security, I don't understand how the invocation ends up in that servlet with that access URL.

            • Actions
          • 2. Re: EAP 6.1 JSF2+Servlet+Form based login breaks security
            mp911de
            mp911de Jul 30, 2013 7:09 AM (in response to jaikiran)

            Correct. Somehow Mojarra tunnels the request to the servlet. This is as well a new behavior for me, until a couple days ago this seemed impossible for me as well.

            Here's the stack-trace:

             

            at com.kaufland.dms.web.ui.context.ContextInitServlet.doGet(ContextInitServlet.java:87) [:]

                      at javax.servlet.http.HttpServlet.service(HttpServlet.java:734) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]

                      at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]

                      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                      at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:832) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                      at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:620) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                      at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:553) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                      at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:482) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                      at com.sun.faces.context.ExternalContextImpl.dispatch(ExternalContextImpl.java:568) [jsf-impl-2.1.19-redhat-1.jar:2.1.19-redhat-1]

                      at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93) [jboss-jsf-api_2.1_spec-2.1.19.1.Final-redhat-1.jar:2.1.19.1.Final-redhat-1]

                      at com.sun.faces.application.view.JspViewHandlingStrategy.executePageToBuildView(JspViewHandlingStrategy.java:363) [jsf-impl-2.1.19-redhat-1.jar:2.1.19-redhat-1]

                      at com.sun.faces.application.view.JspViewHandlingStrategy.buildView(JspViewHandlingStrategy.java:153) [jsf-impl-2.1.19-redhat-1.jar:2.1.19-redhat-1]

                      at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:99) [jsf-impl-2.1.19-redhat-1.jar:2.1.19-redhat-1]

                      at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101) [jsf-impl-2.1.19-redhat-1.jar:2.1.19-redhat-1]

                      at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139) [jsf-impl-2.1.19-redhat-1.jar:2.1.19-redhat-1]

                      at javax.faces.webapp.FacesServlet.service(FacesServlet.java:594) [jboss-jsf-api_2.1_spec-2.1.19.1.Final-redhat-1.jar:2.1.19.1.Final-redhat-1]

                      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                      at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:832) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

              • Actions