ICEfaces
  1. ICEfaces
  2. ICE-6071

dispose-window request redirected through authentication

          Details

          • Type: Bug Bug
          • Status: Closed
          • Priority: Major Major
          • Resolution: Fixed
          • Affects Version/s: 2.0-Beta1
          • Fix Version/s: 2.0.0
          • Component/s: Bridge
          • Labels:
            None
          • Environment:
            ICEfaces 2.0, form-based authentication
          • Workaround Exists:
            Yes
          • Workaround Description:
            Add dispose-window.icefaces.jsf to the Unsecured constraint.

            Description

            When "Form Based" authentication is used, using contained based validation via "j_security_check", once the user logs in, the page is redirected to "http://xxxxxx/yy/dispose-window.icefaces.jsf, URL instead of the original request.

              Activity

              Ascending order - Click to sort in descending order
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #22437 Mon Sep 27 13:23:24 MDT 2010 ted.goddard patch for ICE-6071
              Files Changed
              Commit graph ADD /icefaces2/scratchpads/patches/ICE-6071
              Repository Revision Date User Message
              ICEsoft Public SVN Repository #22438 Mon Sep 27 13:30:43 MDT 2010 ted.goddard disabled dispose-window for customer evaluation (ICE-6071)
              Files Changed
              Commit graph MODIFY /icefaces2/scratchpads/patches/ICE-6071/icefaces/core/src/main/javascript/application.js
              Ted Goddard created issue -
              Tyler Johnson made changes -
              Field Original Value New Value
              Salesforce Case [5007000000DZ3qN]
              Hide
              Permalink
              Ted Goddard added a comment -

              The patch checked in for this bug is not intended to be a final version, just a simple way to evaluate if the application is functional with dispose-window deactivated. If the application does not use push or window scope, there should be no drawback.

              One strategy would be to use a standard postback for dispose-window rather than the custom "resource". This would cause the URL to be unchanged, however, might also result in unintentional redirection to the current page after login.

              Another technique would be to disable dispose-window after the browser receives a session-expired. This would only work in push applications, though.

              Show
              Ted Goddard added a comment - The patch checked in for this bug is not intended to be a final version, just a simple way to evaluate if the application is functional with dispose-window deactivated. If the application does not use push or window scope, there should be no drawback. One strategy would be to use a standard postback for dispose-window rather than the custom "resource". This would cause the URL to be unchanged, however, might also result in unintentional redirection to the current page after login. Another technique would be to disable dispose-window after the browser receives a session-expired. This would only work in push applications, though.
              Ted Goddard made changes -
              Component/s Bridge [ 10011 ]
              Fix Version/s 2.0.0 [ 10230 ]
              Affects Version/s 2.0-Beta1 [ 10231 ]
              Assignee Ted Goddard [ ted.goddard ]
              Hide
              Permalink
              Ted Goddard added a comment -

              The application makes use of an unsecured ICEfaces login page containing the j_security_check form, for instance:

              <form method="POST" action="j_security_check">
              <input type="text" name="j_username" />
              <input type="password" name="j_password" />
              <input type="submit" />
              </form>

              The web.xml security constraint is as follows:

              <security-constraint>
              <display-name>Login</display-name>
              <web-resource-collection>
              <web-resource-name>Unsecured</web-resource-name>
              <description/>
              <url-pattern>/login/*</url-pattern>
              <url-pattern>/javax.faces.resource/*</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
              </web-resource-collection>
              </security-constraint>
              <security-constraint>
              <display-name>Secured</display-name>
              <web-resource-collection>
              <web-resource-name>Secured</web-resource-name>
              <description/>
              <url-pattern>*.jsf</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
              </web-resource-collection>
              <auth-constraint>
              <description>authorized</description>
              <role-name>authorized</role-name>
              </auth-constraint>
              </security-constraint>
              <login-config>
              <auth-method>FORM</auth-method>
              <realm-name>PublicRealm</realm-name>
              <form-login-config>
              <form-login-page>/login/login.jsf</form-login-page>
              <form-error-page>/login/login.jsf?error=true</form-error-page>
              </form-login-config>
              </login-config>

              An initial request to main.jsf results in a redirection to login/login.jsf with main.jsf displayed in the URL bar.

              When j_security_check is submitted, ICEfaces sends

              POST /basic/dispose-window.icefaces.jsf

              just prior, resulting in the redirect response to j_security_check to be set to

              HTTP/1.1 302 Moved Temporarily
              Server: Apache-Coyote/1.1
              Location: http://localhost:8080/basic/dispose-window.icefaces.jsf

              Causing the browser to send a GET for dispose-window.icefaces.jsf

              The easiest solution is to add dispose-window.icefaces.jsf to the Unsecured constraint.

              Modifications in ICE-5935 ensure that a POST to the containing page is used for dispose-window (rather than a custom URL) which improves the behavior in this case.

              Show
              Ted Goddard added a comment - The application makes use of an unsecured ICEfaces login page containing the j_security_check form, for instance: <form method="POST" action="j_security_check"> <input type="text" name="j_username" /> <input type="password" name="j_password" /> <input type="submit" /> </form> The web.xml security constraint is as follows: <security-constraint> <display-name>Login</display-name> <web-resource-collection> <web-resource-name>Unsecured</web-resource-name> <description/> <url-pattern>/login/*</url-pattern> <url-pattern>/javax.faces.resource/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> </security-constraint> <security-constraint> <display-name>Secured</display-name> <web-resource-collection> <web-resource-name>Secured</web-resource-name> <description/> <url-pattern>*.jsf</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <description>authorized</description> <role-name>authorized</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>PublicRealm</realm-name> <form-login-config> <form-login-page>/login/login.jsf</form-login-page> <form-error-page>/login/login.jsf?error=true</form-error-page> </form-login-config> </login-config> An initial request to main.jsf results in a redirection to login/login.jsf with main.jsf displayed in the URL bar. When j_security_check is submitted, ICEfaces sends POST /basic/dispose-window.icefaces.jsf just prior, resulting in the redirect response to j_security_check to be set to HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Location: http://localhost:8080/basic/dispose-window.icefaces.jsf Causing the browser to send a GET for dispose-window.icefaces.jsf The easiest solution is to add dispose-window.icefaces.jsf to the Unsecured constraint. Modifications in ICE-5935 ensure that a POST to the containing page is used for dispose-window (rather than a custom URL) which improves the behavior in this case.
              Hide
              Permalink
              Ted Goddard added a comment -

              code.icepush was also observed to cause the same problem with form-based authentication. Since Beta1, ICEfaces has been modified to fetch the ICEpush JavaScript through JSF resources, so this should also no longer cause a problem.

              Show
              Ted Goddard added a comment - code.icepush was also observed to cause the same problem with form-based authentication. Since Beta1, ICEfaces has been modified to fetch the ICEpush JavaScript through JSF resources, so this should also no longer cause a problem.
              Ted Goddard made changes -
              Workaround Description Add dispose-window.icefaces.jsf to the Unsecured constraint.
              Workaround Exists [Yes]
              Hide
              Permalink
              Ted Goddard added a comment -

              This requires a test case.

              Show
              Ted Goddard added a comment - This requires a test case.
              Hide
              Permalink
              Ted Goddard added a comment -

              Test case provided in ICE-6080.

              Show
              Ted Goddard added a comment - Test case provided in ICE-6080.
              Ken Fyten made changes -
              Status Open [ 1 ] Resolved [ 5 ]
              Resolution Fixed [ 1 ]
              Ken Fyten made changes -
              Status Resolved [ 5 ] Closed [ 6 ]

                People

                • Assignee:
                  Ted Goddard
                  Reporter:
                  Ted Goddard
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: