FacesServlet URL-pattern mapping neglects web.xml security configuration

[ren-zhijun-oracle]

Ref: http://stackoverflow.com/questions/22434622/facesservlet-url-patterns/22441493

OP noticed that using the URL mapping configuration for FacesServlet (in combination with a web.xml configuration that also contained the "/faces/") allows a user to access restricted resources by adding an extra "/faces/" to page URL in the browser address bar. While OP hasn't stated his exact environment, I can confirm this is the case on my Glassfish v4, Mojarra 2.2, servlet v3.1

To reproduce:

1. In a basic JSF webapp, define FacesServlet mapping with /faces/* 2. Define a restricted web resource collection per standard JEE security configuration. This web resource should contain the "/faces/" string in the URL. For example

TEST_SECURITY All_of_it /faces/index.xhtml roles CLUBBER_LANG CLUBBER_LANG

3. Attempt to access the restricted resource with an extra "/faces/" (or any number of extra "/faces/, it doesn't make a difference) in the address bar, i.e. http://localhost/testapp/faces/faces/index.html. The restricted resource is accessible without any login prompting.

Environment

Glassfish V4

Affected Versions

[2.2.0]

[ren-zhijun-oracle]

• Issue Imported From: https://github.com/javaserverfaces/mojarra/issues/3210
• Original Issue Raised By:@javaserverfaces
• Original Issue Assigned To: @manfredriem
• Original Issue Closed By:@javaserverfaces

[ren-zhijun-oracle]

@javaserverfaces Commented Reported by k0l0ssus

[ren-zhijun-oracle]

@javaserverfaces Commented @manfredriem said: Please verify if this is still the case in 2.2.6. Thanks!

[ren-zhijun-oracle]

@javaserverfaces Commented drankupon said: Hello,

I am the OP of the issue that k0l0ssus was referring to. I have since downloladed the latest javax.faces-2.2.6.jar and added the dependency.

I can verify this issue still does exist.

Here is my current web.xml

<?xml version="1.0" encoding="UTF-8"?>

javax.faces.PROJECT_STAGE Development Faces Servlet javax.faces.webapp.FacesServlet 1 Faces Servlet /faces/* 30 faces/index.xhtml ADMIN Admin Section /faces/admin/* ADMIN NONE BASIC jsfTest ADMIN

going to: http://localhost:8080/JSFtest/faces/admin/index.xhtml result: Prompted for login and cannot access without validation

going to: http://localhost:8080/JSFtest/faces/faces/admin/index.xhtml result: No login prompt and I am able to view the page.

Environment:

Javax-Faces: 2.2.6 JSF API: 2.2.0 Server: GlassFish Server Open Source Edition 4.0 (build 89)

Thank you Vincent

[ren-zhijun-oracle]

@javaserverfaces Commented @manfredriem said: I am not sure by reading so I just want to make sure. Did you replace the javax.faces.jar in the GF 4 modules directory? If not can you please verify it that way? Thanks!

[ren-zhijun-oracle]

@javaserverfaces Commented @manfredriem said: Can you please send a reproducer in a zip file. Thanks!

[ren-zhijun-oracle]

@javaserverfaces Commented @manfredriem said: Lowering priority because of no response

[ren-zhijun-oracle]

@javaserverfaces Commented @manfredriem said: Lowering priority because of no response

[ren-zhijun-oracle]

@javaserverfaces Commented @manfredriem said: Closing issue out because of no response

[ren-zhijun-oracle]

@javaserverfaces Commented This issue was imported from java.net JIRA JAVASERVERFACES-3206

[ren-zhijun-oracle]

@javaserverfaces Commented Marked as incomplete on Monday, July 7th 2014, 7:51:00 am