4 Replies Latest reply on Sep 13, 2011 9:47 AM by Ale Feltes Quenhan

    SafeActions.isActionSafe causing IllegalArgumentException under https

    Mark LoSacco Newbie

      I have added mod_rewrite rules to my Apache config to handle switching back and forth between http and https outside of Seam.  As a result I now get IllegalArgumentExceptions thrown by SafeActions.isActionSafe when I click on s:button objects on pages that are under apache managed https.

      I have confirmed that after backing out my apache rewrite rules and running under http the problem goes away.

      Hoping someone can help explain what the purpose of this check is and why it might be failing in an apache-managed https scenario...

      Here is the stack:
      Exception during request processing:
      Caused by java.lang.IllegalArgumentException with message: "Invalid action method admin%2Fmanager.xhtml%3AmanagerAction.cancel"

      org.jboss.seam.navigation.SafeActions.isActionSafe(SafeActions.java:62)
      org.jboss.seam.navigation.Pages.callAction(Pages.java:704)
      org.jboss.seam.navigation.Pages.preRender(Pages.java:346)
      org.jboss.seam.jsf.SeamPhaseListener.preRenderPage(SeamPhaseListener.java:562)
      org.jboss.seam.jsf.SeamPhaseListener.beforeRenderResponse(SeamPhaseListener.java:473)
      org.jboss.seam.jsf.SeamPhaseListener.beforeServletPhase(SeamPhaseListener.java:146)
      org.jboss.seam.jsf.SeamPhaseListener.beforePhase(SeamPhaseListener.java:116)
      com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:222)
      com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:144)
      javax.faces.webapp.FacesServlet.service(FacesServlet.java:245)
      org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
      org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
      org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
      org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
      org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
      org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
      org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
      org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
      org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
      org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:177)
      org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:267)
      org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:380)
      org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:507)
      org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
      org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
      org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:58)
      org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
      org.jboss.seam.web.HotDeployFilter.doFilter(HotDeployFilter.java:53)
      org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
      org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
      org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
      org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
      org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
      org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
      org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
      org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
      org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
      org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
      org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
      org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
      org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
      java.lang.Thread.run(Thread.java:619)

      -Mark

        • 1. Re: SafeActions.isActionSafe causing IllegalArgumentException under https
          Elias Ross Master

          Looks like the action string is getting mangled (URL encoded or never decoded) so Seam doesn't know how to correctly parse the action method name. The code expects a ':' where a %3A is your string.


          SafeActions.java:
          
                int loc = id.indexOf(':');
                if (loc<0) throw new IllegalArgumentException("Invalid action method " + id);



          Check what your browser is sending for actionMethod as a request parameter.

          • 2. Re: SafeActions.isActionSafe causing IllegalArgumentException under https
            Mark LoSacco Newbie

            Thanks for the reply - I looked at the html being sent to the browser in the fail case (under https) and the success case (under http).  The generated code is identical and looks like the following in both cases:


            <input onclick="location.href='http://www.server.com:80/lu/manager/member.seam?sportId=0&amp;userId=0&amp;selectTab=&amp;actionMethod=manager%2Fmember.xhtml%3AmemberAction.cancel&amp;cid=47879'; return false;" id="user:done" value="Cancel" type="button" />
            



            I should also say that this problem does not occur on my localhost, just on our production server.  My localhost is running Vista versus Linux on the production server.


            I am not sure how to work around this - other than nuking the use of s:link and s:button from my secured pages.


            -Mark

            • 3. Re: SafeActions.isActionSafe causing IllegalArgumentException under https
              Mark LoSacco Newbie

              I figured out my problem - I had used https-port and http-port params in my pages.xml file before I decided to implement https in apache.  Those setting were interfering with what I had set up.


              Sorry and thanks to those that read and posted.


              -Mark

              • 4. Re: SafeActions.isActionSafe causing IllegalArgumentException under https
                Ale Feltes Quenhan Newbie
                I had the same problem with these versions:

                http://www.jboss.com/products/platforms/application/components/#JEAP5.1.1

                I've solved the "java.lang.IllegalStateException: Unable to read view /view.xhtml to execute action" problem due to org.jboss.seam.navigation.SafeActions.isActionSafe  with these link and code:

                https://issues.jboss.org/browse/JBPAPP-6283

                Create a new POJO extending org.jboss.seam.navigation.SafeActions with these code:

                http://source.jboss.org/browse/Seam/branches/community/Seam_2_3/jboss-seam/src/main/java/org/jboss/seam/navigation/SafeActions.java?r=14141

                Replace the precedence like these

                @Install(precedence = DEPLOYMENT, classDependencies = "javax.faces.context.FacesContext")