1 Reply Latest reply on Feb 24, 2010 1:36 PM by Snake Zori

    org.jboss.seam.ui.UnauthorizedCommandException and Ratproxy with X parameter

    Snake Zori Newbie

      I've put s:token with attributes requireSession set to false, allowMultiplePosts set to  true into all my forms to prevent XSRF. I use ratproxy for testing:


      ./ratproxy -v . -w myFile.log -d myHost -p 8080 -lextifscgjmX
      (notice the X)
      and when I click on a h:commandButton I get this on JBoss console :



      WARN  [lifecycle] viewId: /home.xhtml - Form signature invalid
      org.jboss.seam.ui.UnauthorizedCommandException: viewId: /home.xhtml - Form signature invalid
      at org.jboss.seam.ui.renderkit.TokenRendererBase.doDecode(TokenRendererBase.java:110)
      [...]
      ERROR [lifecycle] JSF1054: (Phase ID: APPLY_REQUEST_VALUES 2, View ID: /home.xhtml) Exception thrown during phase execution: javax.faces.event.PhaseEvent[source=com.sun.faces.lifecycle.LifecycleImpl@943658]





      so I've put into pages.xml at the to of 'exception section' :




      <exception class="org.jboss.seam.ui.UnauthorizedCommandException" log="false">   
        <redirect view-id="/error.xhtml">
         <message severity="error">#{messages['exception.FormSignatureException']}</message>
        </redirect>
      </exception>
      




      in hope that it will catch and not 'spam' my log with GBs of exceptions in case of active attack or testing. Unfortunately exception keeps showing :(


      please advice