Repository: deltaspike Updated Branches: refs/heads/master e8171f115 -> cd75b04e3
DELTASPIKE-752 optional config (deltaspike.window-id.max_length) Project: http://git-wip-us.apache.org/repos/asf/deltaspike/repo Commit: http://git-wip-us.apache.org/repos/asf/deltaspike/commit/cd75b04e Tree: http://git-wip-us.apache.org/repos/asf/deltaspike/tree/cd75b04e Diff: http://git-wip-us.apache.org/repos/asf/deltaspike/diff/cd75b04e Branch: refs/heads/master Commit: cd75b04e3c557f778b6a1dcdcf7f21a6c9d2be40 Parents: e8171f1 Author: gpetracek <gpetra...@apache.org> Authored: Mon Oct 27 11:51:09 2014 +0100 Committer: gpetracek <gpetra...@apache.org> Committed: Mon Oct 27 11:59:51 2014 +0100 ---------------------------------------------------------------------- .../component/window/WindowIdHtmlRenderer.java | 7 ++--- .../impl/scope/window/DefaultClientWindow.java | 16 ++++++++---- .../jsf/impl/util/ClientWindowHelper.java | 27 +++++++++++++++++++- 3 files changed, 41 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/deltaspike/blob/cd75b04e/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java ---------------------------------------------------------------------- diff --git a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java index e995ff8..ddac083 100644 --- a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java +++ b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java @@ -30,7 +30,6 @@ import javax.servlet.http.Cookie; import org.apache.deltaspike.core.api.provider.BeanProvider; import org.apache.deltaspike.core.spi.scope.window.WindowContext; -import org.apache.deltaspike.jsf.impl.scope.window.DefaultClientWindow; import org.apache.deltaspike.jsf.impl.util.ClientWindowHelper; import org.apache.deltaspike.jsf.spi.scope.window.ClientWindowConfig; @@ -42,6 +41,7 @@ public class WindowIdHtmlRenderer extends Renderer { private volatile WindowContext windowContext; private volatile ClientWindowConfig clientWindowConfig; + private int maxWindowIdCount = 10; /** * 'deltaspikeJsWindowId' will be used to: @@ -61,9 +61,9 @@ public class WindowIdHtmlRenderer extends Renderer //already ensured by DefaultClientWindow //just to ensure that we don't get a security issue in case of a customized client-window implementation //will never happen usually -> no real overhead - if (windowId != null && windowId.length() > DefaultClientWindow.SECURE_ID_LENGTH) + if (windowId != null && windowId.length() > this.maxWindowIdCount) { - windowId = windowId.substring(0, DefaultClientWindow.SECURE_ID_LENGTH); + windowId = windowId.substring(0, this.maxWindowIdCount); } String mode = getClientWindowConfig().getClientWindowRenderMode(context).name(); @@ -95,6 +95,7 @@ public class WindowIdHtmlRenderer extends Renderer if (windowContext == null) { windowContext = BeanProvider.getContextualReference(WindowContext.class); + maxWindowIdCount = ClientWindowHelper.getMaxWindowIdLength(); } } } http://git-wip-us.apache.org/repos/asf/deltaspike/blob/cd75b04e/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/DefaultClientWindow.java ---------------------------------------------------------------------- diff --git a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/DefaultClientWindow.java b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/DefaultClientWindow.java index 2767b69..1fa61f6 100644 --- a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/DefaultClientWindow.java +++ b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/DefaultClientWindow.java @@ -25,6 +25,7 @@ import org.apache.deltaspike.jsf.impl.util.JsfUtils; import org.apache.deltaspike.jsf.spi.scope.window.ClientWindow; import org.apache.deltaspike.jsf.spi.scope.window.ClientWindowConfig; +import javax.annotation.PostConstruct; import javax.enterprise.context.ApplicationScoped; import javax.faces.FacesException; import javax.faces.context.ExternalContext; @@ -69,9 +70,6 @@ public class DefaultClientWindow implements ClientWindow */ public static final String DELTASPIKE_WINDOW_ID_URL_PARAM = "dswid"; - /*enough for the integer generated by #generateNewWindowId - see DELTASPIKE-752 */ - public static final int SECURE_ID_LENGTH = 10; - private static final String PER_USE_CLIENT_WINDOW_URL_QUERY_PARAMETER_DISABLED_KEY = ClientWindow.class.getName() + ".ClientWindowRenderModeEnablement"; @@ -108,15 +106,23 @@ public class DefaultClientWindow implements ClientWindow @Inject private WindowContext windowContext; + private int maxWindowIdCount = 10; + + + @PostConstruct + protected void init() + { + this.maxWindowIdCount = ClientWindowHelper.getMaxWindowIdLength(); + } @Override public String getWindowId(FacesContext facesContext) { String windowId = getOrCreateWindowId(facesContext); - if (windowId != null && windowId.length() > SECURE_ID_LENGTH) + if (windowId != null && windowId.length() > this.maxWindowIdCount) { - windowId = windowId.substring(0, SECURE_ID_LENGTH); + windowId = windowId.substring(0, this.maxWindowIdCount); } return windowId; } http://git-wip-us.apache.org/repos/asf/deltaspike/blob/cd75b04e/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/util/ClientWindowHelper.java ---------------------------------------------------------------------- diff --git a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/util/ClientWindowHelper.java b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/util/ClientWindowHelper.java index 79a5996..927cb38 100644 --- a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/util/ClientWindowHelper.java +++ b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/util/ClientWindowHelper.java @@ -22,21 +22,27 @@ import java.io.IOException; import java.util.HashMap; import java.util.Map; import java.util.Map.Entry; +import java.util.logging.Level; +import java.util.logging.Logger; import javax.enterprise.inject.Typed; import javax.faces.FacesException; import javax.faces.context.ExternalContext; import javax.faces.context.FacesContext; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletResponse; + +import org.apache.deltaspike.core.api.config.ConfigResolver; import org.apache.deltaspike.jsf.spi.scope.window.ClientWindow; @Typed() public abstract class ClientWindowHelper -{ +{ public static final String INITIAL_REDIRECT_WINDOW_ID = ClientWindowHelper.class.getName() + ".INITIAL_REDIRECT_WINDOW_ID"; public static final String REQUEST_WINDOW_ID_COOKIE_PREFIX = "dsrwid-"; + private static final Logger LOG = Logger.getLogger(ClientWindowHelper.class.getName()); + /** * Handles the initial redirect for the URL modus, if no windowId is available in the current request URL. * @@ -154,4 +160,23 @@ public abstract class ClientWindowHelper cookie.setMaxAge(0); ((HttpServletResponse) context.getExternalContext().getResponse()).addCookie(cookie); } + + public static int getMaxWindowIdLength() + { + //10 is enough for the integer generated by DefaultClientWindow#generateNewWindowId - see DELTASPIKE-752 + int result = Integer.parseInt(ConfigResolver.getPropertyValue("deltaspike.window-id.max_length", "" + 10)); + + if (result > 10) + { + if (LOG.isLoggable(Level.WARNING)) + { + LOG.warning("ATTENTION: if you change this value to be significant longer than 10, " + + "you can introduce a security issue in WindowIdHtmlRenderer. " + + "If you increase it because window.name contains a value already, " + + "please revisit that usage or " + + "create shorter unique ids since they just need to be unique within the user-session."); + } + } + return result; + } }
