[
https://issues.apache.org/jira/browse/MYFACES-4058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15379372#comment-15379372
]
Dinesh Kumar A S edited comment on MYFACES-4058 at 7/15/16 1:29 PM:
--------------------------------------------------------------------
hi Leo, Thanks for response..
I am using Chrome. And this happens in IE too.
In my application, we have different WebApplications running and for all those
web-apps we are setting Origin Header as http://domain:port and when an user is
entering into one of the web-application scope a Referrer
http://domain:port/app1/somefile , http://domain:port/app1/someprotectedfile is
set..
The problem occurs, when we are making the someprotectedfile as Protected-View
, when the Referer was sent as http://domain:port/app1/somefile, and the
Origin-header as http://domain:port ..
In this case Referer-check is getting Passed but not the Origin since the app1
contextPath is not found in Origin header.
I am wondering how it could be handled , without setting Origin as
http://domain:port/app1/ .
For the question, " another app in the same server maybe?"
--> Yes I think so, we have many web applications, hosted in a same domain,
having different contextPaths. Origin willbe jsut the domain for all apps.
While debugging, I also saw that the Origin Validation is not getting triggered
when Origin Header is null.
So,
1) not passing Origin header (to null) or
2) putting appContextPath in the Origin Header
the options we have ?
Awaiting your help. Thanks.
was (Author: asdinesh):
hi Leo, Thanks for response..
I am using Chrome. And this happens in IE too.
In my application, we have different WebApplications running and for all those
web-apps we are setting Origin Header as http://domain:port and when an user is
entering into one of the web-application scope a Referrer
http://domain:port/app1/somefile , http://domain:port/app1/someprotectedfile is
set..
The problem occurs, when we are making the someprotectedfile as Protected-View
, when the Referer was sent as http://domain:port/app1/somefile, and the
Origin-header as http://domain:port ..
In this case Referer-check is getting Passed but not the Origin since the app1
contextPath is not found in Origin header.
I am wondering how it could be handled , without setting Origin as
http://domain:port/app1/ .
For the question, " another app in the same server maybe?"
--> Yes I think so, we have many web applications, hosted in a same domain,
having different contextPaths. Origin willbe jsut the domain for all apps.
While debugging, I also saw that the Origin Validation is not getting triggered
when Origin Header is null.
So,
1) not passing Origin header (to null) or
2) putting appContextPath in the Origin Header
the options we have ?
Awaiting your help.
> ProtectedViewException for a protectedview access while checking the
> OriginHeader for appContextPath
> ----------------------------------------------------------------------------------------------------
>
> Key: MYFACES-4058
> URL: https://issues.apache.org/jira/browse/MYFACES-4058
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
> Affects Versions: 2.2.6
> Environment: Windows, JSF 2.2
> Reporter: Dinesh Kumar A S
>
> Getting ProtectedViewException while accessing a protectedview/xhtml, while
> checking the OriginHeader for appContextPath..
> SO reference :
> http://stackoverflow.com/questions/38308431/jsf-2-2-protectedviewexception-due-to-origin-header-and-appcontextpath-mismatch
> Any help is much appreciated.
> Does the "Origin" request-header is supposed to have the appContextPath in
> the path/urlInfo ?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
