5 Replies Latest reply on May 13, 2008 2:34 PM by rzymek.rzymek.gmail.com

    Security issue - 'actionMethod' as parameter

    trouby

      Hey,


      I have a page that is protected for authenticated users only,


      Accessing the page without specifying any parameter results a redirect to the correct login page and everything work fine,



      But if the 'actionMethod' parameter is specified, I get an exception from the invoked action,



      I assume this is not the expected behavior, if the page is protected then the method should be invoked only after the authentication occurs and not before.



      Thanks,


      Asaf.

        • 1. Re: Security issue - 'actionMethod' as parameter
          shane.bryzak

          I don't quite understand the question.  Perhaps you should post some of your code.

          • 2. Re: Security issue - 'actionMethod' as parameter
            trouby

            I use Seam component for rendering all JBPM tasks related to the logged user in a DT,


            per row, I have the following link:



            <s:button action="#{taskManager.loadTaskNode}"   taskInstance="#{jTask}" value="Review" view="/taskInfo.xhtml"
            



            taskManager.loadTaskNode is empty, its just annotated with @BeginTask for starting the task management,



            The s:button generates a link such as (the link is not accurate!)



            http://myserver/taskInfo.xhtml?taskId=44&actionMethod=taskManager.loadTaskNode
            




            I want this link to be bookmarked and re-used later on, when I submit the link, I get an exception from the 'loadTaskNode' method,


            It shouldn't happen as the taskInfo.xhtml page is restricted for logged in users only, I was expecting the login prompt soon before the method invocation,



            This is just an example, I am pretty sure it has nothing to do with JBPM tasks as Seam generates 'actionMethod' request parameter for any invocations through seam links,



            Asaf.

            • 3. Re: Security issue - 'actionMethod' as parameter
              pmuir

              AFAICS this should work, so please file a JIRA issue and attach a simple example of the problem that we can run (preferably not involving jBPM!).

              • 4. Re: Security issue - 'actionMethod' as parameter
                rzymek.rzymek.gmail.com

                The action will be called and this has nothing to do with the 'actionMethod' parameter.


                By protecting only the taskInfo.xhtml page (via <page login-requred=true> in pages.xml) you only ensure that only logged-in users cat RENDER the page.


                You need to protect all your components as well, using the @Restrict annotation:


                @Name("taskManager")
                
                @Restrict("#{s:hasRole('someRoleName')})
                
                public class TaskManager {
                
                  /* ... */
                
                }

                • 5. Re: Security issue - 'actionMethod' as parameter
                  rzymek.rzymek.gmail.com

                  By the way: the actionMethod parameter is checked, so that it does not allow arbitrary values. Take a look at SafeActions:


                  /**
                  
                   * Maintains a set of "safe" actions that may be performed 
                  
                   * by &lt;s:link/&gt;, as determined by actually parsing
                  
                   * the view.
                  
                   * 
                  
                   * @author Gavin King
                  
                   *
                  
                   */
                  
                  @Scope(ScopeType.APPLICATION)
                  
                  @BypassInterceptors
                  
                  @Name("org.jboss.seam.navigation.safeActions")
                  
                  @Install(precedence=BUILT_IN, classDependencies="javax.faces.context.FacesContext")
                  
                  public class SafeActions { 



                  The actionMethod parameter is actually read in Pages.callAction method, which uses the SefeActions components.


                  As you can see value from actionMethod parameter is only executed when it appears on the corresponding page.