You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by em...@apache.org on 2017/10/23 14:49:28 UTC
svn commit: r1813021 - in /myfaces/core/branches/2.3.x:
impl/src/main/java/org/apache/myfaces/lifecycle/RestoreViewExecutor.java
shared/src/main/java/org/apache/myfaces/shared/config/MyfacesConfig.java
Author: embreijo
Date: Mon Oct 23 14:49:28 2017
New Revision: 1813021
URL: http://svn.apache.org/viewvc?rev=1813021&view=rev
Log:
MYFACES-4058 ProtectedViewException for a protectedview access while checking the OriginHeader for appContextPath
Modified:
myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/lifecycle/RestoreViewExecutor.java
myfaces/core/branches/2.3.x/shared/src/main/java/org/apache/myfaces/shared/config/MyfacesConfig.java
Modified: myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/lifecycle/RestoreViewExecutor.java
URL: http://svn.apache.org/viewvc/myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/lifecycle/RestoreViewExecutor.java?rev=1813021&r1=1813020&r2=1813021&view=diff
==============================================================================
--- myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/lifecycle/RestoreViewExecutor.java (original)
+++ myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/lifecycle/RestoreViewExecutor.java Mon Oct 23 14:49:28 2017
@@ -422,14 +422,33 @@ class RestoreViewExecutor extends PhaseE
{
matchPort = (serverPort == port);
}
- if (serverHost.equals(host) && matchPort && path.contains(appContextPath))
+ boolean isStrictJsf2OriginHeaderAppPath =
+ MyfacesConfig.getCurrentInstance(ectx).isStrictJsf2OriginHeaderAppPath();
+ if (!path.equals(""))
{
- // Referer Header match
+ if (serverHost.equals(host) && matchPort && path.contains(appContextPath))
+ {
+ // Referer Header match
+ }
+ else
+ {
+ // Referer Header does not match
+ return false;
+ }
}
else
{
- // Referer Header does not match
- return false;
+ if (serverHost.equals(host) && matchPort && !isStrictJsf2OriginHeaderAppPath)
+ {
+ // Origin Header match and
+ // STRICT_JSF_2_ORIGIN_HEADER_APP_PATH property is set to false (default)
+ // Because we don't want to strictly follow JSF 2.x spec
+ }
+ else
+ {
+ // Origin Header does not match
+ return false;
+ }
}
}
// In theory path = appContextPath + servletPath + pathInfo.
Modified: myfaces/core/branches/2.3.x/shared/src/main/java/org/apache/myfaces/shared/config/MyfacesConfig.java
URL: http://svn.apache.org/viewvc/myfaces/core/branches/2.3.x/shared/src/main/java/org/apache/myfaces/shared/config/MyfacesConfig.java?rev=1813021&r1=1813020&r2=1813021&view=diff
==============================================================================
--- myfaces/core/branches/2.3.x/shared/src/main/java/org/apache/myfaces/shared/config/MyfacesConfig.java (original)
+++ myfaces/core/branches/2.3.x/shared/src/main/java/org/apache/myfaces/shared/config/MyfacesConfig.java Mon Oct 23 14:49:28 2017
@@ -543,6 +543,14 @@ public class MyfacesConfig
protected static final String SUPPORT_EL_3_IMPORT_HANDLER = "org.apache.myfaces.SUPPORT_EL_3_IMPORT_HANDLER";
public final static boolean SUPPORT_EL_3_IMPORT_HANDLER_DEFAULT = false;
+ /**
+ * This parameter specifies whether or not the Origin header app path should be checked
+ */
+ @JSFWebConfigParam(since="2.3", defaultValue="false", expectedValues="true,false")
+ protected static final String STRICT_JSF_2_ORIGIN_HEADER_APP_PATH =
+ "org.apache.myfaces.STRICT_JSF_2_ORIGIN_HEADER_APP_PATH";
+ public final static boolean STRICT_JSF_2_ORIGIN_HEADER_APP_PATH_DEFAULT = false;
+
private boolean _prettyHtml;
private boolean _detectJavascript;
private boolean _allowJavascript;
@@ -585,6 +593,7 @@ public class MyfacesConfig
private Integer _numberOfFlashTokensInSession;
private Integer _numberOfFacesFlowClientWindowIdsInSession;
private boolean _supportEL3ImportHandler;
+ private boolean _strictJsf2OriginHeaderAppPath;
private static final boolean TOMAHAWK_AVAILABLE;
private static final boolean MYFACES_IMPL_AVAILABLE;
@@ -696,7 +705,8 @@ public class MyfacesConfig
setNumberOfFlashTokensInSession(
(INIT_PARAM_NUMBER_OF_VIEWS_IN_SESSION_DEFAULT /
INIT_PARAM_NUMBER_OF_SEQUENTIAL_VIEWS_IN_SESSION_DEFAULT)+1);
- setSupportEL3ImportHandler(SUPPORT_EL_3_IMPORT_HANDLER_DEFAULT);
+ setSupportEL3ImportHandler(SUPPORT_EL_3_IMPORT_HANDLER_DEFAULT);
+ setStrictJsf2OriginHeaderAppPath(STRICT_JSF_2_ORIGIN_HEADER_APP_PATH_DEFAULT);
}
private static MyfacesConfig createAndInitializeMyFacesConfig(ExternalContext extCtx)
@@ -894,7 +904,11 @@ public class MyfacesConfig
myfacesConfig.setSupportEL3ImportHandler(WebConfigParamUtils.getBooleanInitParameter(extCtx,
SUPPORT_EL_3_IMPORT_HANDLER,
- SUPPORT_EL_3_IMPORT_HANDLER_DEFAULT));
+ SUPPORT_EL_3_IMPORT_HANDLER_DEFAULT));
+
+ myfacesConfig.setStrictJsf2OriginHeaderAppPath(WebConfigParamUtils.getBooleanInitParameter(extCtx,
+ STRICT_JSF_2_ORIGIN_HEADER_APP_PATH,
+ STRICT_JSF_2_ORIGIN_HEADER_APP_PATH_DEFAULT));
if (TOMAHAWK_AVAILABLE)
{
@@ -1550,4 +1564,14 @@ public class MyfacesConfig
{
this._supportEL3ImportHandler = supportEL3ImportHandler;
}
+
+ public boolean isStrictJsf2OriginHeaderAppPath()
+ {
+ return _strictJsf2OriginHeaderAppPath;
+ }
+
+ public void setStrictJsf2OriginHeaderAppPath(boolean strictJsf2OriginHeaderAppPath)
+ {
+ this._strictJsf2OriginHeaderAppPath = strictJsf2OriginHeaderAppPath;
+ }
}