[jira] [Commented] (MYFACES-4058) ProtectedViewException for a protectedview access while checking the OriginHeader for appContextPath
[ https://issues.apache.org/jira/browse/MYFACES-4058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16212952#comment-16212952 ] Paul Nicolucci commented on MYFACES-4058: - Eduardo, the patch seems reasonable to me. > ProtectedViewException for a protectedview access while checking the > OriginHeader for appContextPath > > > Key: MYFACES-4058 > URL: https://issues.apache.org/jira/browse/MYFACES-4058 > Project: MyFaces Core > Issue Type: Bug > Components: General >Affects Versions: 2.2.6 > Environment: Windows, JSF 2.2 >Reporter: Dinesh Kumar A S >Assignee: Eduardo Breijo > Attachments: MYFACES-4058.patch > > > Getting ProtectedViewException while accessing a protectedview/xhtml, while > checking the OriginHeader for appContextPath.. > SO reference : > http://stackoverflow.com/questions/38308431/jsf-2-2-protectedviewexception-due-to-origin-header-and-appcontextpath-mismatch > Any help is much appreciated. > Does the "Origin" request-header is supposed to have the appContextPath in > the path/urlInfo ? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (MYFACES-4058) ProtectedViewException for a protectedview access while checking the OriginHeader for appContextPath
[ https://issues.apache.org/jira/browse/MYFACES-4058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16211146#comment-16211146 ] Eduardo Breijo commented on MYFACES-4058: - I have uploaded a new patch with the context param that Leo suggested. If no objections I will commit this patch. > ProtectedViewException for a protectedview access while checking the > OriginHeader for appContextPath > > > Key: MYFACES-4058 > URL: https://issues.apache.org/jira/browse/MYFACES-4058 > Project: MyFaces Core > Issue Type: Bug > Components: General >Affects Versions: 2.2.6 > Environment: Windows, JSF 2.2 >Reporter: Dinesh Kumar A S >Assignee: Eduardo Breijo > Attachments: MYFACES-4058.patch > > > Getting ProtectedViewException while accessing a protectedview/xhtml, while > checking the OriginHeader for appContextPath.. > SO reference : > http://stackoverflow.com/questions/38308431/jsf-2-2-protectedviewexception-due-to-origin-header-and-appcontextpath-mismatch > Any help is much appreciated. > Does the "Origin" request-header is supposed to have the appContextPath in > the path/urlInfo ? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (MYFACES-4058) ProtectedViewException for a protectedview access while checking the OriginHeader for appContextPath
[ https://issues.apache.org/jira/browse/MYFACES-4058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16210973#comment-16210973 ] Paul Nicolucci commented on MYFACES-4058: - I've opened the following Spec issue: https://github.com/javaee/javaserverfaces-spec/issues/1451 > ProtectedViewException for a protectedview access while checking the > OriginHeader for appContextPath > > > Key: MYFACES-4058 > URL: https://issues.apache.org/jira/browse/MYFACES-4058 > Project: MyFaces Core > Issue Type: Bug > Components: General >Affects Versions: 2.2.6 > Environment: Windows, JSF 2.2 >Reporter: Dinesh Kumar A S > Attachments: MYFACES-4058.patch > > > Getting ProtectedViewException while accessing a protectedview/xhtml, while > checking the OriginHeader for appContextPath.. > SO reference : > http://stackoverflow.com/questions/38308431/jsf-2-2-protectedviewexception-due-to-origin-header-and-appcontextpath-mismatch > Any help is much appreciated. > Does the "Origin" request-header is supposed to have the appContextPath in > the path/urlInfo ? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (MYFACES-4058) ProtectedViewException for a protectedview access while checking the OriginHeader for appContextPath
[ https://issues.apache.org/jira/browse/MYFACES-4058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16209862#comment-16209862 ] Leonardo Uribe commented on MYFACES-4058: - I think if Origin header should not contain app path, it is ok to do so, because the intention was to check the origin header. A context param org.apache.myfaces.STRICT_JSF_2_ORIGIN_HEADER_APP_PATH could work. > ProtectedViewException for a protectedview access while checking the > OriginHeader for appContextPath > > > Key: MYFACES-4058 > URL: https://issues.apache.org/jira/browse/MYFACES-4058 > Project: MyFaces Core > Issue Type: Bug > Components: General >Affects Versions: 2.2.6 > Environment: Windows, JSF 2.2 >Reporter: Dinesh Kumar A S > Attachments: MYFACES-4058.patch > > > Getting ProtectedViewException while accessing a protectedview/xhtml, while > checking the OriginHeader for appContextPath.. > SO reference : > http://stackoverflow.com/questions/38308431/jsf-2-2-protectedviewexception-due-to-origin-header-and-appcontextpath-mismatch > Any help is much appreciated. > Does the "Origin" request-header is supposed to have the appContextPath in > the path/urlInfo ? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (MYFACES-4058) ProtectedViewException for a protectedview access while checking the OriginHeader for appContextPath
[ https://issues.apache.org/jira/browse/MYFACES-4058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16209824#comment-16209824 ] Thomas Andraschko commented on MYFACES-4058: +1 for a spec issue IMO (!) if the current spec is unable to work, we can also do the change without a context param > ProtectedViewException for a protectedview access while checking the > OriginHeader for appContextPath > > > Key: MYFACES-4058 > URL: https://issues.apache.org/jira/browse/MYFACES-4058 > Project: MyFaces Core > Issue Type: Bug > Components: General >Affects Versions: 2.2.6 > Environment: Windows, JSF 2.2 >Reporter: Dinesh Kumar A S > Attachments: MYFACES-4058.patch > > > Getting ProtectedViewException while accessing a protectedview/xhtml, while > checking the OriginHeader for appContextPath.. > SO reference : > http://stackoverflow.com/questions/38308431/jsf-2-2-protectedviewexception-due-to-origin-header-and-appcontextpath-mismatch > Any help is much appreciated. > Does the "Origin" request-header is supposed to have the appContextPath in > the path/urlInfo ? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (MYFACES-4058) ProtectedViewException for a protectedview access while checking the OriginHeader for appContextPath
[ https://issues.apache.org/jira/browse/MYFACES-4058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16209813#comment-16209813 ] Paul Nicolucci commented on MYFACES-4058: - Would it be ok to make this change in MyFaces and at the same time open a spec issue so that it can be clarified in the specification? Since Mojarra behaves the same way as MyFaces right now what should we do regarding the context-parameter? > ProtectedViewException for a protectedview access while checking the > OriginHeader for appContextPath > > > Key: MYFACES-4058 > URL: https://issues.apache.org/jira/browse/MYFACES-4058 > Project: MyFaces Core > Issue Type: Bug > Components: General >Affects Versions: 2.2.6 > Environment: Windows, JSF 2.2 >Reporter: Dinesh Kumar A S > Attachments: MYFACES-4058.patch > > > Getting ProtectedViewException while accessing a protectedview/xhtml, while > checking the OriginHeader for appContextPath.. > SO reference : > http://stackoverflow.com/questions/38308431/jsf-2-2-protectedviewexception-due-to-origin-header-and-appcontextpath-mismatch > Any help is much appreciated. > Does the "Origin" request-header is supposed to have the appContextPath in > the path/urlInfo ? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (MYFACES-4058) ProtectedViewException for a protectedview access while checking the OriginHeader for appContextPath
[ https://issues.apache.org/jira/browse/MYFACES-4058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16205858#comment-16205858 ] Eduardo Breijo commented on MYFACES-4058: - [~tandraschko] I have tested it on Safari using Tomcat and Mojarra and I get the following exception: javax.faces.application.ProtectedViewException: JSF1100: Origin [sic] header value http://localhost:8080 does not appear to be a protected view. Preventing display of viewId /aSubView1.xhtml com.sun.faces.lifecycle.RestoreViewPhase.maybeTakeProtectedViewAction(RestoreViewPhase.java:369) com.sun.faces.lifecycle.RestoreViewPhase.execute(RestoreViewPhase.java:237) com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100) It seems that it doesn't work there either. Regarding my patch, I can always remove the context param and fix it by default if we want to avoid adding a new context param. If you want, I can add a new patch without the context param. > ProtectedViewException for a protectedview access while checking the > OriginHeader for appContextPath > > > Key: MYFACES-4058 > URL: https://issues.apache.org/jira/browse/MYFACES-4058 > Project: MyFaces Core > Issue Type: Bug > Components: General >Affects Versions: 2.2.6 > Environment: Windows, JSF 2.2 >Reporter: Dinesh Kumar A S > Attachments: MYFACES-4058.patch > > > Getting ProtectedViewException while accessing a protectedview/xhtml, while > checking the OriginHeader for appContextPath.. > SO reference : > http://stackoverflow.com/questions/38308431/jsf-2-2-protectedviewexception-due-to-origin-header-and-appcontextpath-mismatch > Any help is much appreciated. > Does the "Origin" request-header is supposed to have the appContextPath in > the path/urlInfo ? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (MYFACES-4058) ProtectedViewException for a protectedview access while checking the OriginHeader for appContextPath
[ https://issues.apache.org/jira/browse/MYFACES-4058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16205516#comment-16205516 ] Thomas Andraschko commented on MYFACES-4058: I wonder how its working in Mojarra? Do they also not follow to spec for 100% in this case? If possible, we should always try to avoid new context params. > ProtectedViewException for a protectedview access while checking the > OriginHeader for appContextPath > > > Key: MYFACES-4058 > URL: https://issues.apache.org/jira/browse/MYFACES-4058 > Project: MyFaces Core > Issue Type: Bug > Components: General >Affects Versions: 2.2.6 > Environment: Windows, JSF 2.2 >Reporter: Dinesh Kumar A S > Attachments: MYFACES-4058.patch > > > Getting ProtectedViewException while accessing a protectedview/xhtml, while > checking the OriginHeader for appContextPath.. > SO reference : > http://stackoverflow.com/questions/38308431/jsf-2-2-protectedviewexception-due-to-origin-header-and-appcontextpath-mismatch > Any help is much appreciated. > Does the "Origin" request-header is supposed to have the appContextPath in > the path/urlInfo ? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (MYFACES-4058) ProtectedViewException for a protectedview access while checking the OriginHeader for appContextPath
[ https://issues.apache.org/jira/browse/MYFACES-4058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16202089#comment-16202089 ] Eduardo Breijo commented on MYFACES-4058: - Hi [~wtlucy] I have provided a patch to this issue based on your discussion. The patch introduces a web config custom parameter to enable the fix. [~lu4242] Can you please review the patch and provide any input regarding this issue? > ProtectedViewException for a protectedview access while checking the > OriginHeader for appContextPath > > > Key: MYFACES-4058 > URL: https://issues.apache.org/jira/browse/MYFACES-4058 > Project: MyFaces Core > Issue Type: Bug > Components: General >Affects Versions: 2.2.6 > Environment: Windows, JSF 2.2 >Reporter: Dinesh Kumar A S > Attachments: MYFACES-4058.patch > > > Getting ProtectedViewException while accessing a protectedview/xhtml, while > checking the OriginHeader for appContextPath.. > SO reference : > http://stackoverflow.com/questions/38308431/jsf-2-2-protectedviewexception-due-to-origin-header-and-appcontextpath-mismatch > Any help is much appreciated. > Does the "Origin" request-header is supposed to have the appContextPath in > the path/urlInfo ? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (MYFACES-4058) ProtectedViewException for a protectedview access while checking the OriginHeader for appContextPath
[ https://issues.apache.org/jira/browse/MYFACES-4058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16194833#comment-16194833 ] Bill Lucy commented on MYFACES-4058: I've been looking into this issue as well; in the scenario I'm investigating, protected views are broken in Safari. Similar to the other posts here, I can see an Origin header added by Safari to a non-CORS request. I can see that JSF 2.2 section 2.2.1 says we should be checking the Origin header in the same way we check the Referer header.. but that doesn't make sense: the header is not intended to contain any path info. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) So it looks like checking the Origin header in RestoreViewExecutor.checkRefererOrOriginHeader() will always fail. Checking the Origin header against the ExternalContext's host and port makes sense, but not the full path. Changing the default behavior here would make sense to me, given my current understanding, but a custom param would work, given the language in the spec. [~lu4242] what are your thoughts? > ProtectedViewException for a protectedview access while checking the > OriginHeader for appContextPath > > > Key: MYFACES-4058 > URL: https://issues.apache.org/jira/browse/MYFACES-4058 > Project: MyFaces Core > Issue Type: Bug > Components: General >Affects Versions: 2.2.6 > Environment: Windows, JSF 2.2 >Reporter: Dinesh Kumar A S > > Getting ProtectedViewException while accessing a protectedview/xhtml, while > checking the OriginHeader for appContextPath.. > SO reference : > http://stackoverflow.com/questions/38308431/jsf-2-2-protectedviewexception-due-to-origin-header-and-appcontextpath-mismatch > Any help is much appreciated. > Does the "Origin" request-header is supposed to have the appContextPath in > the path/urlInfo ? -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (MYFACES-4058) ProtectedViewException for a protectedview access while checking the OriginHeader for appContextPath
[ https://issues.apache.org/jira/browse/MYFACES-4058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15383897#comment-15383897 ] Dinesh Kumar A S commented on MYFACES-4058: --- Found one another hint, where in Chrome and Safari browsers are adding the Origin header even for the same domain/origin-request. Refer below : http://stackoverflow.com/questions/15512331/chrome-adding-origin-header-to-same-origin-request Apparently we did not receive the ProtectedViewException in Firefox or IE. Let us know how we could handle this w.r.to Chrome browser using any JSF configuration/settings (to skip Origin check., etc), if any. > ProtectedViewException for a protectedview access while checking the > OriginHeader for appContextPath > > > Key: MYFACES-4058 > URL: https://issues.apache.org/jira/browse/MYFACES-4058 > Project: MyFaces Core > Issue Type: Bug > Components: General >Affects Versions: 2.2.6 > Environment: Windows, JSF 2.2 >Reporter: Dinesh Kumar A S > > Getting ProtectedViewException while accessing a protectedview/xhtml, while > checking the OriginHeader for appContextPath.. > SO reference : > http://stackoverflow.com/questions/38308431/jsf-2-2-protectedviewexception-due-to-origin-header-and-appcontextpath-mismatch > Any help is much appreciated. > Does the "Origin" request-header is supposed to have the appContextPath in > the path/urlInfo ? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MYFACES-4058) ProtectedViewException for a protectedview access while checking the OriginHeader for appContextPath
[ https://issues.apache.org/jira/browse/MYFACES-4058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15379372#comment-15379372 ] Dinesh Kumar A S commented on MYFACES-4058: --- hi Leo, Thanks for response.. I am using Chrome. And this happens in IE too. In my application, we have different WebApplications running and for all those web-apps we are setting Origin Header as http://domain:port and when an user is entering into one of the web-application scope a Referrer http://domain:port/app1/somefile , http://domain:port/app1/someprotectedfile is set.. The problem occurs, when we are making the someprotectedfile as Protected-View , when the Referer was sent as http://domain:port/app1/somefile, and the Origin-header as http://domain:port .. In this case Referer-check is getting Passed but not the Origin since the app1 contextPath is not found in Origin header. I am wondering how it could be handled , without setting Origin as http://domain:port/app1/ . For the question, " another app in the same server maybe?" --> Yes I think so, we have many web applications, hosted in a same domain, having different contextPaths. Origin willbe jsut the domain for all apps. > ProtectedViewException for a protectedview access while checking the > OriginHeader for appContextPath > > > Key: MYFACES-4058 > URL: https://issues.apache.org/jira/browse/MYFACES-4058 > Project: MyFaces Core > Issue Type: Bug > Components: General >Affects Versions: 2.2.6 > Environment: Windows, JSF 2.2 >Reporter: Dinesh Kumar A S > > Getting ProtectedViewException while accessing a protectedview/xhtml, while > checking the OriginHeader for appContextPath.. > SO reference : > http://stackoverflow.com/questions/38308431/jsf-2-2-protectedviewexception-due-to-origin-header-and-appcontextpath-mismatch > Any help is much appreciated. > Does the "Origin" request-header is supposed to have the appContextPath in > the path/urlInfo ? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MYFACES-4058) ProtectedViewException for a protectedview access while checking the OriginHeader for appContextPath
[ https://issues.apache.org/jira/browse/MYFACES-4058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15376042#comment-15376042 ] Leonardo Uribe commented on MYFACES-4058: - Yes, it is intentional to have the appContextPath in the path/urlInfo and check the Origin header in the same way the Referer header is done. See JSF 2.2 section 2.2.1 in the part that talks about View Protection: "... If the values do match, look for a Referer [sic] request header. If the header is present, use the protected view API to determine if any of the declared protected views match the value of the Referer header. If so, conclude that the previously visited page is also a protected view and it is therefore safe to continue. Otherwise, try to determine if the value of the Referer header corresponds to any of the views in the current web application. If not, throw a ProtectedViewException. If the Origin header is present, additionally perform the same steps as with the Referer header. ..." I think It is possible to modify this behavior adding some web config custom param, but before that we need a strong justification about a valid use case. Could you please describe the case you have a bit more? which browser are you using? from where the request is triggered? another app in the same server maybe? > ProtectedViewException for a protectedview access while checking the > OriginHeader for appContextPath > > > Key: MYFACES-4058 > URL: https://issues.apache.org/jira/browse/MYFACES-4058 > Project: MyFaces Core > Issue Type: Bug > Components: General >Affects Versions: 2.2.6 > Environment: Windows, JSF 2.2 >Reporter: Dinesh Kumar A S > > Getting ProtectedViewException while accessing a protectedview/xhtml, while > checking the OriginHeader for appContextPath.. > SO reference : > http://stackoverflow.com/questions/38308431/jsf-2-2-protectedviewexception-due-to-origin-header-and-appcontextpath-mismatch > Any help is much appreciated. > Does the "Origin" request-header is supposed to have the appContextPath in > the path/urlInfo ? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
