ICEfaces
  1. ICEfaces
  2. ICE-2119

ServletEnvironmentRequest wraps only the frist HttpServletRequest in session

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.6.1
    • Fix Version/s: 1.6.2, 1.7DR#3, 1.7
    • Component/s: None
    • Labels:
      None
    • Environment:
      Windows XP SP2
      Java 1.5
      WebLogic 9.2

      Description

      ServletEnvironmentRequest wraps only the frist HttpServletRequest in session, and from this came the problem of using isUserInRole from ExternalContext
      when using JAAS security (not Acegi).
      I've observed that when in web.xml I add login-config with auth-method set to BASIC IceFaces wraps in ServletEnvironmentRequest first request which is simply a request to access an application without loaded users roles. After this first reqest server sends information about authorization, and if it success the second requst will have all information about roles and pricipals.
      I thinkt that even wrapping only the frist request won't causes this bug it should be always actualized, so developer can access current request not the one from starting the session.
      1. patch.txt
        1 kB
        Marcin Dabrowski

        Activity

        Hide
        Marcin Dabrowski added a comment -

        This bug also make application unable to call secured EJB methods.

        Show
        Marcin Dabrowski added a comment - This bug also make application unable to call secured EJB methods.
        Hide
        Marcin Dabrowski added a comment -

        I've developed a patch witch should be applied to com.icesoft.faces.webapp.http.servlet.ServletExternalContext.
        Ive used 1.6.1 source code.

        Here is a patch:
        Index: ServletExternalContext.java
        ===================================================================
        — ServletExternalContext.java (revision 14843)
        +++ ServletExternalContext.java (working copy)
        @@ -18,6 +18,7 @@
        import java.io.InputStream;
        import java.io.OutputStreamWriter;
        import java.io.Writer;
        +import java.lang.reflect.Constructor;
        import java.net.MalformedURLException;
        import java.net.URL;
        import java.security.Principal;
        @@ -144,6 +145,22 @@
        }
        responseCookieMap = Collections.synchronizedMap(new HashMap());

        + // we need to keep request updated.
        + String requestClassName = this.request.getClass().getName();
        + if (requestClassName.equals("com.icesoft.faces.env.ServletEnvironmentRequest")
        + || requestClassName.equals("com.icesoft.faces.env.PortletEnvironmentRenderRequest")) {
        + try

        { + Constructor<? extends HttpServletRequest> construcotr = this.request + .getClass().getConstructor(Object.class); + this.request = construcotr.newInstance(request); + }

        catch (Exception e)

        { + // this situation should never happened + this.request = request; + }

        + } else

        { + this.request = request; + }

        +
        this.response = response;
        }

        Show
        Marcin Dabrowski added a comment - I've developed a patch witch should be applied to com.icesoft.faces.webapp.http.servlet.ServletExternalContext. Ive used 1.6.1 source code. Here is a patch: Index: ServletExternalContext.java =================================================================== — ServletExternalContext.java (revision 14843) +++ ServletExternalContext.java (working copy) @@ -18,6 +18,7 @@ import java.io.InputStream; import java.io.OutputStreamWriter; import java.io.Writer; +import java.lang.reflect.Constructor; import java.net.MalformedURLException; import java.net.URL; import java.security.Principal; @@ -144,6 +145,22 @@ } responseCookieMap = Collections.synchronizedMap(new HashMap()); + // we need to keep request updated. + String requestClassName = this.request.getClass().getName(); + if (requestClassName.equals("com.icesoft.faces.env.ServletEnvironmentRequest") + || requestClassName.equals("com.icesoft.faces.env.PortletEnvironmentRenderRequest")) { + try { + Constructor<? extends HttpServletRequest> construcotr = this.request + .getClass().getConstructor(Object.class); + this.request = construcotr.newInstance(request); + } catch (Exception e) { + // this situation should never happened + this.request = request; + } + } else { + this.request = request; + } + this.response = response; }
        Hide
        Marcin Dabrowski added a comment -

        Patch contains updating of cached HttpServletRequest.

        Show
        Marcin Dabrowski added a comment - Patch contains updating of cached HttpServletRequest.
        Hide
        Mircea Toma added a comment -

        Introduce abstraction (AuthenticationVerifier) backed by JAAS or ACEGI implementations. JAAS implementation uses the active request to check user's role.

        Show
        Mircea Toma added a comment - Introduce abstraction (AuthenticationVerifier) backed by JAAS or ACEGI implementations. JAAS implementation uses the active request to check user's role.

          People

          • Assignee:
            Unassigned
            Reporter:
            Marcin Dabrowski
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: