Closed javaserverfaces closed 10 years ago
Reported by k0l0ssus
@manfredriem said: Please verify if this is still the case in 2.2.6. Thanks!
drankupon said: Hello,
I am the OP of the issue that k0l0ssus was referring to. I have since downloladed the latest javax.faces-2.2.6.jar and added the dependency.
I can verify this issue still does exist.
Here is my current web.xml
<?xml version="1.0" encoding="UTF-8"?>
going to: http://localhost:8080/JSFtest/faces/admin/index.xhtml result: Prompted for login and cannot access without validation
going to: http://localhost:8080/JSFtest/faces/faces/admin/index.xhtml result: No login prompt and I am able to view the page.
Environment:
Javax-Faces: 2.2.6 JSF API: 2.2.0 Server: GlassFish Server Open Source Edition 4.0 (build 89)
Thank you Vincent
@manfredriem said: I am not sure by reading so I just want to make sure. Did you replace the javax.faces.jar in the GF 4 modules directory? If not can you please verify it that way? Thanks!
@manfredriem said: Can you please send a reproducer in a zip file. Thanks!
@manfredriem said: Lowering priority because of no response
@manfredriem said: Lowering priority because of no response
@manfredriem said: Closing issue out because of no response
This issue was imported from java.net JIRA JAVASERVERFACES-3206
Marked as incomplete on Monday, July 7th 2014, 7:51:00 am
Ref: http://stackoverflow.com/questions/22434622/facesservlet-url-patterns/22441493
OP noticed that using the URL mapping configuration for FacesServlet (in combination with a web.xml configuration that also contained the "/faces/") allows a user to access restricted resources by adding an extra "/faces/" to page URL in the browser address bar. While OP hasn't stated his exact environment, I can confirm this is the case on my Glassfish v4, Mojarra 2.2, servlet v3.1
To reproduce:
1. In a basic JSF webapp, define FacesServlet mapping with /faces/* 2. Define a restricted web resource collection per standard JEE security configuration. This web resource should contain the "/faces/" string in the URL. For example
3. Attempt to access the restricted resource with an extra "/faces/" (or any number of extra "/faces/, it doesn't make a difference) in the address bar, i.e. http://localhost/testapp/faces/faces/index.html. The restricted resource is accessible without any login prompting.
Environment
Glassfish V4
Affected Versions
[2.2.0]