[ICE-2119] ServletEnvironmentRequest wraps only the frist HttpServletRequest in session - ICEsoft JIRA Issue Tracker

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.6.1
Fix Version/s: 1.6.2, 1.7DR#3, 1.7
Component/s: None
Labels:
None
Environment:
Windows XP SP2
Java 1.5
WebLogic 9.2

Description

ServletEnvironmentRequest wraps only the frist HttpServletRequest in session, and from this came the problem of using isUserInRole from ExternalContext
when using JAAS security (not Acegi).
I've observed that when in web.xml I add login-config with auth-method set to BASIC IceFaces wraps in ServletEnvironmentRequest first request which is simply a request to access an application without loaded users roles. After this first reqest server sends information about authorization, and if it success the second requst will have all information about roles and pricipals.
I thinkt that even wrapping only the frist request won't causes this bug it should be always actualized, so developer can access current request not the one from starting the session.

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

patch.txt

21/Sep/07 5:18 AM

1 kB

Marcin Dabrowski

Activity

Ascending order - Click to sort in descending order

Marcin Dabrowski created issue - 19/Sep/07 6:44 AM

Hide

Permalink

Marcin Dabrowski added a comment - 19/Sep/07 9:43 AM

This bug also make application unable to call secured EJB methods.

Show

Marcin Dabrowski added a comment - 19/Sep/07 9:43 AM This bug also make application unable to call secured EJB methods.

Hide

Permalink

Marcin Dabrowski added a comment - 21/Sep/07 5:17 AM

I've developed a patch witch should be applied to com.icesoft.faces.webapp.http.servlet.ServletExternalContext.
Ive used 1.6.1 source code.

Here is a patch:
Index: ServletExternalContext.java
===================================================================
— ServletExternalContext.java (revision 14843)
+++ ServletExternalContext.java (working copy)
@@ -18,6 +18,7 @@
import java.io.InputStream;
import java.io.OutputStreamWriter;
import java.io.Writer;
+import java.lang.reflect.Constructor;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.Principal;
@@ -144,6 +145,22 @@
}
responseCookieMap = Collections.synchronizedMap(new HashMap());

+ // we need to keep request updated.
+ String requestClassName = this.request.getClass().getName();
+ if (requestClassName.equals("com.icesoft.faces.env.ServletEnvironmentRequest")
+ || requestClassName.equals("com.icesoft.faces.env.PortletEnvironmentRenderRequest")) {
+ try

{ + Constructor<? extends HttpServletRequest> construcotr = this.request + .getClass().getConstructor(Object.class); + this.request = construcotr.newInstance(request); + }

catch (Exception e)

{ + // this situation should never happened + this.request = request; + }

+ } else

{ + this.request = request; + }

+
this.response = response;
}

Show

Marcin Dabrowski added a comment - 21/Sep/07 5:17 AM I've developed a patch witch should be applied to com.icesoft.faces.webapp.http.servlet.ServletExternalContext. Ive used 1.6.1 source code. Here is a patch: Index: ServletExternalContext.java =================================================================== — ServletExternalContext.java (revision 14843) +++ ServletExternalContext.java (working copy) @@ -18,6 +18,7 @@ import java.io.InputStream; import java.io.OutputStreamWriter; import java.io.Writer; +import java.lang.reflect.Constructor; import java.net.MalformedURLException; import java.net.URL; import java.security.Principal; @@ -144,6 +145,22 @@ } responseCookieMap = Collections.synchronizedMap(new HashMap()); + // we need to keep request updated. + String requestClassName = this.request.getClass().getName(); + if (requestClassName.equals("com.icesoft.faces.env.ServletEnvironmentRequest") + || requestClassName.equals("com.icesoft.faces.env.PortletEnvironmentRenderRequest")) { + try { + Constructor<? extends HttpServletRequest> construcotr = this.request + .getClass().getConstructor(Object.class); + this.request = construcotr.newInstance(request); + } catch (Exception e) { + // this situation should never happened + this.request = request; + } + } else { + this.request = request; + } + this.response = response; }

Hide

Permalink

Marcin Dabrowski added a comment - 21/Sep/07 5:18 AM

Patch contains updating of cached HttpServletRequest.

Show

Marcin Dabrowski added a comment - 21/Sep/07 5:18 AM Patch contains updating of cached HttpServletRequest.

Marcin Dabrowski made changes - 21/Sep/07 5:18 AM

Field	Original Value	New Value
Attachment		patch.txt [ 10661 ]

Ken Fyten made changes - 23/Oct/07 11:22 AM

Fix Version/s		1.6.2 [ 10111 ]
Assignee Priority		P2
Assignee		Mircea Toma [ mircea.toma ]

Repository	Revision	Date	User	Message
ICEsoft Public SVN Repository	#15041	Mon Oct 29 12:11:29 MDT 2007	mircea.toma	Introduce abstraction (AuthenticationVerifier) backed by JAAS or ACEGI implementations. JAAS implementation uses the active request to check user's role. ~~ICE-2119~~
				Files Changed
				ADD /icefaces/trunk/icefaces/core/src/com/icesoft/faces/env/AuthenticationVerifier.java MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/servlet/ServletExternalContext.java MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/env/ServletEnvironmentRequest.java MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/env/AcegiAuthWrapper.java MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/context/View.java MODIFY /icefaces/trunk/icefaces/core/src/com/icesoft/faces/webapp/http/portlet/PortletExternalContext.java

Repository	Revision	Date	User	Message
ICEsoft Public SVN Repository	#15048	Tue Oct 30 14:57:36 MDT 2007	mircea.toma	Introduce abstraction (AuthenticationVerifier) backed by JAAS or ACEGI implementations. JAAS implementation uses the active request to check user's role. ~~ICE-2119~~
				Files Changed
				MODIFY /icefaces/branches/icefaces-1.6/icefaces/core/src/com/icesoft/faces/webapp/http/portlet/PortletExternalContext.java MODIFY /icefaces/branches/icefaces-1.6/icefaces/core/src/com/icesoft/faces/env/AcegiAuthWrapper.java MODIFY /icefaces/branches/icefaces-1.6/icefaces/core/src/com/icesoft/faces/env/ServletEnvironmentRequest.java MODIFY /icefaces/branches/icefaces-1.6/icefaces/core/src/com/icesoft/faces/context/View.java MODIFY /icefaces/branches/icefaces-1.6/icefaces/core/src/com/icesoft/faces/webapp/http/servlet/ServletExternalContext.java ADD /icefaces/branches/icefaces-1.6/icefaces/core/src/com/icesoft/faces/env/AuthenticationVerifier.java

Hide

Permalink

Mircea Toma added a comment - 30/Oct/07 4:35 PM

Introduce abstraction (AuthenticationVerifier) backed by JAAS or ACEGI implementations. JAAS implementation uses the active request to check user's role.

Show

Mircea Toma added a comment - 30/Oct/07 4:35 PM Introduce abstraction (AuthenticationVerifier) backed by JAAS or ACEGI implementations. JAAS implementation uses the active request to check user's role.

Mircea Toma made changes - 30/Oct/07 4:35 PM

Status	Open [ 1 ]	Resolved [ 5 ]
Resolution		Fixed [ 1 ]

Ken Fyten made changes - 31/Oct/07 10:00 AM

Fix Version/s

1.7DR#3 [ 10112 ]

Ken Fyten made changes - 14/Apr/08 3:25 PM

Fix Version/s

1.7 [ 10080 ]

Ken Fyten made changes - 14/Apr/08 3:32 PM

Status	Resolved [ 5 ]	Closed [ 6 ]
Assignee Priority	P2
Assignee	Mircea Toma [ mircea.toma ]

People

Assignee:

Unassigned

Reporter:

Marcin Dabrowski

Votes:

0 Vote for this issue

Watchers:

0 Start watching this issue

Dates

Created:

19/Sep/07 6:44 AM

Updated:

14/Apr/08 3:32 PM

Resolved:

30/Oct/07 4:35 PM