search

eclipse-ee4j / krazo

Apache License 2.0
50 stars 19 forks source link

RedirectScope doesn't work with Cookie over resource boundaries #354

Closed erdlet closed 1 year ago

erdlet commented 1 year ago

Situation

In my application I've the following use-case:

A POST request is made to a update method, e. g. /posts/update to change a Posts value. This method sets additionally a success message into a RedirectScoped bean. Afterwards a redirect is performed to / which contains a specific overview for Posts. Now when using the default redirect behavior using URI rewriting everything works fine, but when Cookies are used instead, the values from the RedirectScoped bean are shown at the /posts resource instead of /.

After a look into the developer tools I recognized, that Krazo sets two Cookies for a redirect token with different paths, namely / and /posts. As a result, the messages which I expect in the page returned by / are stored in the /posts Cookie and aren't displayed properly.

image

Workaround

Use URL rewriting instead

Expected behavior

There is only one Cookie which contains the latest value for the redirect scope.

Possible solution

The path attribute for the Cookie is set to the MVC base path instead of request.getContextPath().

@chkal any thoughts on this? I saw you made the initial contribution a few years ago :P

chkal commented 1 year ago

I think most of the redirect scope code was created by Oracle back then. I don't remember working on this very much TBH.

This is really weird. I agree with you that the context path should be used for the cookie. Only this makes sense to me. Because the redirect scope doesn't depend on the actual view being rendered. It basically just preserves data until the next page is rendered.

But even more weird is that it looks like the context path is actually used for the cookie. See this code:

https://github.com/eclipse-ee4j/krazo/blob/6a1c40fd486d07410353602e9babbca078e3775c/core/src/main/java/org/eclipse/krazo/cdi/RedirectScopeManager.java#L259-L263

chkal commented 1 year ago

Ah, I think I got it. It looks like you deployed your app to the root context path, correct. I guess this needs some special handling to use the path / instead of a blank string, which will most likely be handled by the browser somehow.

See the special handling in CookieCsrfTokenStrategy here:

https://github.com/eclipse-ee4j/krazo/blob/6a1c40fd486d07410353602e9babbca078e3775c/core/src/main/java/org/eclipse/krazo/security/CookieCsrfTokenStrategy.java#L61-L66

erdlet commented 1 year ago

Yes I deployed it to the root context, so I think you're right and we just need to use the same behavior than we use inside the mentioned CookieCsrfTokenStrategy. I hope to find some time to write a few tests to investigate the exact behavior of the Cookie handling

erdlet commented 1 year ago

I can't reproduce this issue by tests, so I guess it's a client specific problem. Nevertheless we should add the tests to the testsuite so we can ensure the behavior in the future.

erdlet commented 1 year ago

Closing this as not reproducable.