Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Won't Fix
-
Affects Version/s: 2.0.0
-
Fix Version/s: 3.0
-
Component/s: Framework
-
Labels:None
-
Environment:Debian or OpenSUSE, Java SUN or OpenJDK, Glassfish 3.0.1, IceFaces 2.0.0
-
Assignee Priority:P1
-
ICEsoft Forum Reference:
-
Workaround Exists:Yes
-
Workaround Description:
Description
I now have created a smaller project that demonstrates the problem. The realm is based on a MySQL database and created like
==== create realm ==============
sudo /opt/glassfishv3/glassfish/bin/asadmin create-auth-realm --classname com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm --property jaas-context=jdbcRealm:datasource-jndi=card:user-table=employees:user-name-column=userid:password-column=password:group-table=employees:group-name-column=role:digest-algorithm=MD5 userauth
========== end =============
===== web.xml ================
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<context-param>
<param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>server</param-value>
</context-param>
<context-param>
<param-name>com.icesoft.faces.uploadDirectory</param-name>
<param-value>upload</param-value>
</context-param>
<context-param>
<param-name>org.icefaces.strictSessionTimeout</param-name>
<param-value>true</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>Resource Servlet</servlet-name>
<servlet-class>com.icesoft.faces.webapp.CompatResourceServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/icefaces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Resource Servlet</servlet-name>
<url-pattern>/xmlhttp/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
3
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>Secured/client.jsf</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>Constraint1</display-name>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<description/>
<url-pattern>/Secured/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>userauth</realm-name>
<form-login-config>
<form-login-page>/Open/login.jsp</form-login-page>
<form-error-page>/Open/loginfailed.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Manages the employees</description>
<role-name>MANAGER</role-name>
</security-role>
</web-app>
========== End =============
===== sun-web.xml ============
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD GlassFish Application Server 3.0 Servlet 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_3_0-0.dtd">
<sun-web-app error-url="">
<context-root>/SessionTimeOut</context-root>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
<security-role-mapping>
<role-name>ADMIN</role-name>
<group-name>ADMIN</group-name>
</security-role-mapping>
</sun-web-app>
======== End ===============
Now in the Open dir I have 2 files
login.jsp and loginfailed.jsp.
In the Secured dir I have created a client.xhtml that uses a template.xhml
======= client.xhtml =============
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE composition PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ui:composition xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:icecore="http://www.icefaces.org/icefaces/core"
xmlns:ice="http://www.icesoft.com/icefaces/component"
xmlns:ace="http://www.icefaces.org/icefaces/components"
template="./newICEfacesTemplate.xhtml">
<ui:define name="top">
top
</ui:define>
<ui:define name="left">
left
</ui:define>
<ui:define name="content">
<ice:form id="panelform">
<ice:panelTabSet height="330px">
<ice:panelTab label="First Tab">
<ice:outputText value="First content"/>
</ice:panelTab>
<ice:panelTab label="Second Tab">
<ice:outputText value="Second content"/>
</ice:panelTab>
</ice:panelTabSet>
</ice:form>
</ui:define>
<ui:define name="bottom">
bottom
</ui:define>
</ui:composition>
============== End =============
As you can see in the above web.xml the directory Secured is protected. When I request client.jsp in the browser I am correctly redirected to the login page. After a successful authorization I get the client.jsp page correctly. I have currently set the session time out till only 3 minutes. I have also set the strictSessionTimeout to true. I have no redirect page in case of a session timeout. The problem is shown already without that.
======= Symptom ==========
After 3 minutes of inactivity you can't anymore click on the tabs => the GUI becomes totally unresponsive.
=======================
It is worth mentioning that without the realm I correctly get a popup indicating that the session has expired.
If you want I can share the war file or the source
Cheers,
// Jonas
==== create realm ==============
sudo /opt/glassfishv3/glassfish/bin/asadmin create-auth-realm --classname com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm --property jaas-context=jdbcRealm:datasource-jndi=card:user-table=employees:user-name-column=userid:password-column=password:group-table=employees:group-name-column=role:digest-algorithm=MD5 userauth
========== end =============
===== web.xml ================
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<context-param>
<param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>server</param-value>
</context-param>
<context-param>
<param-name>com.icesoft.faces.uploadDirectory</param-name>
<param-value>upload</param-value>
</context-param>
<context-param>
<param-name>org.icefaces.strictSessionTimeout</param-name>
<param-value>true</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>Resource Servlet</servlet-name>
<servlet-class>com.icesoft.faces.webapp.CompatResourceServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/icefaces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Resource Servlet</servlet-name>
<url-pattern>/xmlhttp/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
3
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>Secured/client.jsf</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>Constraint1</display-name>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<description/>
<url-pattern>/Secured/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>userauth</realm-name>
<form-login-config>
<form-login-page>/Open/login.jsp</form-login-page>
<form-error-page>/Open/loginfailed.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Manages the employees</description>
<role-name>MANAGER</role-name>
</security-role>
</web-app>
========== End =============
===== sun-web.xml ============
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD GlassFish Application Server 3.0 Servlet 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_3_0-0.dtd">
<sun-web-app error-url="">
<context-root>/SessionTimeOut</context-root>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
<security-role-mapping>
<role-name>ADMIN</role-name>
<group-name>ADMIN</group-name>
</security-role-mapping>
</sun-web-app>
======== End ===============
Now in the Open dir I have 2 files
login.jsp and loginfailed.jsp.
In the Secured dir I have created a client.xhtml that uses a template.xhml
======= client.xhtml =============
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE composition PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ui:composition xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:icecore="http://www.icefaces.org/icefaces/core"
xmlns:ice="http://www.icesoft.com/icefaces/component"
xmlns:ace="http://www.icefaces.org/icefaces/components"
template="./newICEfacesTemplate.xhtml">
<ui:define name="top">
top
</ui:define>
<ui:define name="left">
left
</ui:define>
<ui:define name="content">
<ice:form id="panelform">
<ice:panelTabSet height="330px">
<ice:panelTab label="First Tab">
<ice:outputText value="First content"/>
</ice:panelTab>
<ice:panelTab label="Second Tab">
<ice:outputText value="Second content"/>
</ice:panelTab>
</ice:panelTabSet>
</ice:form>
</ui:define>
<ui:define name="bottom">
bottom
</ui:define>
</ui:composition>
============== End =============
As you can see in the above web.xml the directory Secured is protected. When I request client.jsp in the browser I am correctly redirected to the login page. After a successful authorization I get the client.jsp page correctly. I have currently set the session time out till only 3 minutes. I have also set the strictSessionTimeout to true. I have no redirect page in case of a session timeout. The problem is shown already without that.
======= Symptom ==========
After 3 minutes of inactivity you can't anymore click on the tabs => the GUI becomes totally unresponsive.
=======================
It is worth mentioning that without the realm I correctly get a popup indicating that the session has expired.
If you want I can share the war file or the source
Cheers,
// Jonas
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
The added test case includes a workaround that changes the JSP login page to respond with the HTML form entry markup on HTTP GET requests and with an error XML response in case of a POST request. This way when the session has expired and the user interacts with a the page (not loading it) the XML error response will be interpreted by the ICEfaces bridge and render the session expired popup.
Show
Mircea Toma
added a comment - The added test case includes a workaround that changes the JSP login page to respond with the HTML form entry markup on HTTP GET requests and with an error XML response in case of a POST request. This way when the session has expired and the user interacts with a the page (not loading it) the XML error response will be interpreted by the ICEfaces bridge and render the session expired popup.
Using a JSF login page is not possible because the requests made by the page for the JS resources will also receive the login page markup instead. Any other JSF mechanism will not work since the request does not reach the FacesServlet until the authentication is successful.
Show
Mircea Toma
added a comment - - edited Using a JSF login page is not possible because the requests made by the page for the JS resources will also receive the login page markup instead. Any other JSF mechanism will not work since the request does not reach the FacesServlet until the authentication is successful.
Attached the login page that can be used to send the XML error message on postbacks after session is expired.
Show
Mircea Toma
added a comment - Attached the login page that can be used to send the XML error message on postbacks after session is expired.
Marking this issue as "won't fix" since a JSF/ICEfaces solution is not feasible.
Show
Mircea Toma
added a comment - Marking this issue as "won't fix" since a JSF/ICEfaces solution is not feasible.
Hi everybody,
I have (and I'm not the only one) exactly the same issue clicking on panelTab when the session is lost -->the GUI becomes unresponsive.
[window] Error [status: emptyResponse code: 200]: An empty response was received from the server. Check server error logs.
exception ? console.er...ror(formatOutput(category, message));
However, clicking on ice:commandLink or commandButton component, when the session is lost works well!!!! The JsfRedirectStratefy class from spring-secucirty 3, is able detect and redirect to my login page.
Hence, this is only when I click on panelTab component that my application becomes unresponsive.
Could anybody explain in details the workaround by ice push?
thanks
Show
Jean-brice Rougeot
added a comment - Hi everybody,
I have (and I'm not the only one) exactly the same issue clicking on panelTab when the session is lost -->the GUI becomes unresponsive.
[window] Error [status: emptyResponse code: 200] : An empty response was received from the server. Check server error logs.
exception ? console.er...ror(formatOutput(category, message));
However, clicking on ice:commandLink or commandButton component, when the session is lost works well!!!! The JsfRedirectStratefy class from spring-secucirty 3, is able detect and redirect to my login page.
Hence, this is only when I click on panelTab component that my application becomes unresponsive.
Could anybody explain in details the workaround by ice push?
thanks
This is a dump of the NetBeans project. Note that you'll still need to create the database tables and the MySQL realm