2 Replies Latest reply on Jul 30, 2013 7:09 AM by Mark Paluch

    EAP 6.1 JSF2+Servlet+Form based login breaks security

    Mark Paluch Master

      Hi there,

      I noticed today, as soon as I use JSF2-Pages (xhtml) for Form-Based login and trying to access a servlet though JSF2, security is ignored for the servlet behind.

       

      One of the servlets (every servlet is affected):

       

      @WebServlet(urlPatterns = {
                "/init"
      })
      public class ContextInitServlet extends HttpServlet {
      

       

       

      web.xml

       

         <servlet>
              <servlet-name>Faces Servlet</servlet-name>
              <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
              <load-on-startup>1</load-on-startup>
          </servlet>
      
          <servlet-mapping>
              <servlet-name>Faces Servlet</servlet-name>
              <url-pattern>/faces/*</url-pattern>
          </servlet-mapping>
          <servlet-mapping>
              <servlet-name>Faces Servlet</servlet-name>
              <url-pattern>*.xhtml</url-pattern>
          </servlet-mapping>
      
      
         <security-constraint>
              <web-resource-collection>
                  <web-resource-name>protected-resources</web-resource-name>
                  <url-pattern>/ui/*</url-pattern>
                  <url-pattern>/faces/*</url-pattern>
              </web-resource-collection>
              <auth-constraint>
                  <role-name>*</role-name>
              </auth-constraint>
              <user-data-constraint>
                  <transport-guarantee>NONE</transport-guarantee>
              </user-data-constraint>
          </security-constraint>
      
      
          <login-config>
              <auth-method>SPNEGO</auth-method>
              <realm-name>SPNEGO</realm-name>
              <form-login-config>
                  <form-login-page>/login/login.xhtml</form-login-page>
                  <form-error-page>/login/error.xhtml</form-error-page>
              </form-login-config>
          </login-config>
      

       

       

      GET http://localhost:8080/myapp/faces/init
      

       

      leads to a successful request without any authentication. Any servlet within my app can be accessed that way.

       

       

      Currently my workaround is

       

       

                if (SecurityContextAssociation.getSubject() == null) {
                          FacesContext.getCurrentInstance().getApplication().getNavigationHandler()
                                              .handleNavigation(FacesContext.getCurrentInstance(), "", "/login/login.xhtml");
                          return;
                }
      

       

      within the Servlet.

       

       

      Is this a JBoss Web issue or is this a Mojarra problem?

       

       

      Used Software:

      • JBoss AS 7.2 (EAP 6.1)
      • Bundled Mojarra 2.1.19-redhat-1
      • RichFaces 4.3.3.Final
      • SPNEGO (Kerberos SSO) 2.2.5.Final-redhat-1

       

       

      Thanks and best regards,

      Mark

        • 1. Re: EAP 6.1 JSF2+Servlet+Form based login breaks security
          jaikiran pai Master

          I don't understand. The servlet is mapped to "/init" and you are accessing "/faces/init". Irrespective of security, I don't understand how the invocation ends up in that servlet with that access URL.

          • 2. Re: EAP 6.1 JSF2+Servlet+Form based login breaks security
            Mark Paluch Master

            Correct. Somehow Mojarra tunnels the request to the servlet. This is as well a new behavior for me, until a couple days ago this seemed impossible for me as well.

            Here's the stack-trace:

             

            at com.kaufland.dms.web.ui.context.ContextInitServlet.doGet(ContextInitServlet.java:87) [:]

                      at javax.servlet.http.HttpServlet.service(HttpServlet.java:734) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]

                      at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]

                      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                      at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:832) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                      at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:620) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                      at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:553) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                      at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:482) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                      at com.sun.faces.context.ExternalContextImpl.dispatch(ExternalContextImpl.java:568) [jsf-impl-2.1.19-redhat-1.jar:2.1.19-redhat-1]

                      at javax.faces.context.ExternalContextWrapper.dispatch(ExternalContextWrapper.java:93) [jboss-jsf-api_2.1_spec-2.1.19.1.Final-redhat-1.jar:2.1.19.1.Final-redhat-1]

                      at com.sun.faces.application.view.JspViewHandlingStrategy.executePageToBuildView(JspViewHandlingStrategy.java:363) [jsf-impl-2.1.19-redhat-1.jar:2.1.19-redhat-1]

                      at com.sun.faces.application.view.JspViewHandlingStrategy.buildView(JspViewHandlingStrategy.java:153) [jsf-impl-2.1.19-redhat-1.jar:2.1.19-redhat-1]

                      at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:99) [jsf-impl-2.1.19-redhat-1.jar:2.1.19-redhat-1]

                      at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101) [jsf-impl-2.1.19-redhat-1.jar:2.1.19-redhat-1]

                      at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139) [jsf-impl-2.1.19-redhat-1.jar:2.1.19-redhat-1]

                      at javax.faces.webapp.FacesServlet.service(FacesServlet.java:594) [jboss-jsf-api_2.1_spec-2.1.19.1.Final-redhat-1.jar:2.1.19.1.Final-redhat-1]

                      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]

                      at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:832) [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]