javaee / mojarra

PLEASE NOTE: This project has moved to Eclipse Foundation and will be archived under the JavaEE GitHub Organization. After Feb. 1, 2021, the new location will be github.com/javaee/mojarra. Mojarra - Oracle's implementation of the JavaServer Faces specification
https://github.com/eclipse-ee4j/mojarra
Other
164 stars 58 forks source link

FacesServlet URL-pattern mapping neglects web.xml security configuration #3210

Closed javaserverfaces closed 10 years ago

javaserverfaces commented 10 years ago

Ref: http://stackoverflow.com/questions/22434622/facesservlet-url-patterns/22441493

OP noticed that using the URL mapping configuration for FacesServlet (in combination with a web.xml configuration that also contained the "/faces/") allows a user to access restricted resources by adding an extra "/faces/" to page URL in the browser address bar. While OP hasn't stated his exact environment, I can confirm this is the case on my Glassfish v4, Mojarra 2.2, servlet v3.1

To reproduce:

1. In a basic JSF webapp, define FacesServlet mapping with /faces/* 2. Define a restricted web resource collection per standard JEE security configuration. This web resource should contain the "/faces/" string in the URL. For example

TEST_SECURITY All_of_it /faces/index.xhtml roles CLUBBER_LANG CLUBBER_LANG

3. Attempt to access the restricted resource with an extra "/faces/" (or any number of extra "/faces/, it doesn't make a difference) in the address bar, i.e. http://localhost/testapp/faces/faces/index.html. The restricted resource is accessible without any login prompting.

Environment

Glassfish V4

Affected Versions

[2.2.0]

javaserverfaces commented 10 years ago

Reported by k0l0ssus

javaserverfaces commented 10 years ago

@manfredriem said: Please verify if this is still the case in 2.2.6. Thanks!

javaserverfaces commented 10 years ago

drankupon said: Hello,

I am the OP of the issue that k0l0ssus was referring to. I have since downloladed the latest javax.faces-2.2.6.jar and added the dependency.

I can verify this issue still does exist.

Here is my current web.xml

<?xml version="1.0" encoding="UTF-8"?>

javax.faces.PROJECT_STAGE Development Faces Servlet javax.faces.webapp.FacesServlet 1 Faces Servlet /faces/* 30 faces/index.xhtml ADMIN Admin Section /faces/admin/* ADMIN NONE BASIC jsfTest ADMIN

going to: http://localhost:8080/JSFtest/faces/admin/index.xhtml result: Prompted for login and cannot access without validation

going to: http://localhost:8080/JSFtest/faces/faces/admin/index.xhtml result: No login prompt and I am able to view the page.

Environment:

Javax-Faces: 2.2.6 JSF API: 2.2.0 Server: GlassFish Server Open Source Edition 4.0 (build 89)

Thank you Vincent

javaserverfaces commented 10 years ago

@manfredriem said: I am not sure by reading so I just want to make sure. Did you replace the javax.faces.jar in the GF 4 modules directory? If not can you please verify it that way? Thanks!

javaserverfaces commented 10 years ago

@manfredriem said: Can you please send a reproducer in a zip file. Thanks!

javaserverfaces commented 10 years ago

@manfredriem said: Lowering priority because of no response

javaserverfaces commented 10 years ago

@manfredriem said: Lowering priority because of no response

javaserverfaces commented 10 years ago

@manfredriem said: Closing issue out because of no response

javaserverfaces commented 7 years ago

This issue was imported from java.net JIRA JAVASERVERFACES-3206

javaserverfaces commented 10 years ago

Marked as incomplete on Monday, July 7th 2014, 7:51:00 am