[
http://www.stripesframework.org/jira/browse/STS-555?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=11368#action_11368
]
Scott Van Wart commented on STS-555:
------------------------------------
I think the first solution (ActionBeanContext) is a much better solution.
Though personally I would just override getSourcePage(), which is where the
decoding is handled directly. There is a problem with the submitted
patch--what if the source page contains only A-Z, a-z, 0-9, + and / (all 64
valid characters of base64)? Personally mine are all likely to end with .jsp,
so in an ideal situation I might be able to rely on that, but I think a more
context-sensitive solution (subclassing ActionBeanContext) is appropriate.
I personally think a failed decoding should throw a more legible exception
(rather than letting CryptoUtil catch the error and throwing a cryptic--no pun
intended--exception about a null input buffer). This would get hit in 2 cases:
1) The developer forgot to circumvent the encoding/decoding (e.g. by the above
example, or by overriding getSourcePageResolution).
2) The web user decided to try and be funny and edited the _sourcePage
attribute in the URL (easy to do in GET requests).
The first case should simply be failfast--it's a programming error. In the
second case it might be useful to catch a more specific exception (rather than
IllegalArgumentException thrown by CryptoUtil), and then (at the
end-developer's preference) spit out an error to discourage the user from
mucking about with server-side state handed to the client.
> _sourcePage passed request parameter via Javascript is having some exception
> on server side validation during getSourcePage
> ---------------------------------------------------------------------------------------------------------------------------
>
> Key: STS-555
> URL: http://www.stripesframework.org/jira/browse/STS-555
> Project: Stripes
> Issue Type: Improvement
> Components: Validation
> Environment: Tomcat 6.0.16,
> jdk1.6.0_05,
> Stripes 1.5b1.
> Eclipse 3.3.2.
> Windows XP.
> Internet Explorer 6.0
> Reporter: J G
> Attachments: CryptoUtil.java.patch
>
>
> Hi,
> Currently having an error during validation with errors and calling the
> getContext().getSourcePageResolution() in an ActionBean.. The exception
> trace..
> Bad Base64 input character at 0: 47(decimal)
> 15:14:30,117 DEBUG ExecutionContext:150 - Transitioning to lifecycle stage
> RequestComplete
> 15:14:30,117 WARN DefaultExceptionHandler:39 - Unhandled exception caught by
> the Stripes default exception handler.
> java.lang.IllegalArgumentException: Null input buffer
> at javax.crypto.Cipher.doFinal(DashoA13*..)
> at net.sourceforge.stripes.util.CryptoUtil.decrypt(CryptoUtil.java:188)
> at
> net.sourceforge.stripes.action.ActionBeanContext.getSourcePage(ActionBeanContext.java:249)
> at
> net.sourceforge.stripes.action.ActionBeanContext.getSourcePageResolution(ActionBeanContext.java:226)
> ....
> ...
> ...
> This only happens after a first load of my page. I have an href that have an
> image that has an onclick that triggers a javascript. Then in my javascript
> function I have Ajax.Updater method
> var params = 'initVar&id=' + nId
> + '&_sourcePage=\/bugMaintenance.jsp';
> new Ajax.Updater( "",
> "${pageContext.request.contextPath}/ctrlr/BugMaint.action",
> { method: 'post',
> postBody: params,
> onSuccess: successAddFunc,
> onFailure: errorAddFunc
> });
> I know this might is not the clean way, but do you have any ideas what is
> wrong? Or any suggestion how to do this via Ajax to pass the _sourcePage?
> I tried to debug the source code of stripes. The problem is on the
> ActionBeanContext.getSourcePage(). during the call to
> CryptoUtil.decrypt(sourcePage), since I did not encrypt the _sourcePage which
> I just tweaked and passed as request parameter during an Ajax call, the
> processing throws a Null pointer somewhere inside the decrypting of the
> source page.
> Inside the decrypt(String) method of CryptoUtil, the Base64.decode(input,
> BASE64_OPTIONS) returned null.
> Thanks,
> --jg
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://www.stripesframework.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development
