org.jboss.seam.ui.UnauthorizedCommandException and Ratproxy with X parameter

syjmick Feb 23, 2010 11:20 AM

I've put s:token with attributes requireSession set to false, allowMultiplePosts set to true into all my forms to prevent XSRF. I use ratproxy for testing:

./ratproxy -v . -w myFile.log -d myHost -p 8080 -lextifscgjmX
(notice the X)
and when I click on a h:commandButton I get this on JBoss console :

WARN  [lifecycle] viewId: /home.xhtml - Form signature invalid
org.jboss.seam.ui.UnauthorizedCommandException: viewId: /home.xhtml - Form signature invalid
at org.jboss.seam.ui.renderkit.TokenRendererBase.doDecode(TokenRendererBase.java:110)
[...]
ERROR [lifecycle] JSF1054: (Phase ID: APPLY_REQUEST_VALUES 2, View ID: /home.xhtml) Exception thrown during phase execution: javax.faces.event.PhaseEvent[source=com.sun.faces.lifecycle.LifecycleImpl@943658]

so I've put into pages.xml at the to of 'exception section' :

<exception class="org.jboss.seam.ui.UnauthorizedCommandException" log="false">   
  <redirect view-id="/error.xhtml">
   <message severity="error">#{messages['exception.FormSignatureException']}</message>
  </redirect>
</exception>

in hope that it will catch and not 'spam' my log with GBs of exceptions in case of active attack or testing. Unfortunately exception keeps showing :(

please advice

1. Re: org.jboss.seam.ui.UnauthorizedCommandException and Ratproxy with X parameter

syjmick Feb 24, 2010 1:36 PM (in response to syjmick)

Same goes with Nessus.
How should I proceed ?
Actions