myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leonardo Uribe (JIRA)" <...@myfaces.apache.org>
Subject [jira] [Commented] (MYFACES-4058) ProtectedViewException for a protectedview access while checking the OriginHeader for appContextPath
Date Thu, 14 Jul 2016 00:12:20 GMT

    [ https://issues.apache.org/jira/browse/MYFACES-4058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15376042#comment-15376042
] 

Leonardo Uribe commented on MYFACES-4058:
-----------------------------------------

Yes, it is intentional to have the appContextPath in the path/urlInfo and check the Origin
header in the same way the Referer header is done. See JSF 2.2 section 2.2.1 in the part that
talks about View Protection:

"... If the values do match, look for a Referer [sic] request header. If the header is present,
use the protected view API to determine if any of the declared protected views match the value
of the Referer header. If so, conclude that the previously visited page is also a protected
view and it is therefore safe to continue. Otherwise, try to determine if the value of the
Referer header corresponds to any of the views in the current web application. If not, throw
a ProtectedViewException. If the Origin header is present, additionally perform the same steps
as with the Referer header. ..."

I think It is possible to modify this behavior adding some web config custom param, but before
that we need a strong justification about a valid use case. Could you please describe the
case you have a bit more? which browser are you using? from where the request is triggered?
another app in the same server maybe?

 

> ProtectedViewException for a protectedview access while checking the OriginHeader for
appContextPath
> ----------------------------------------------------------------------------------------------------
>
>                 Key: MYFACES-4058
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4058
>             Project: MyFaces Core
>          Issue Type: Bug
>          Components: General
>    Affects Versions: 2.2.6
>         Environment: Windows, JSF 2.2
>            Reporter: Dinesh Kumar A S
>
> Getting ProtectedViewException while accessing a protectedview/xhtml, while checking
the OriginHeader for appContextPath..
> SO reference : http://stackoverflow.com/questions/38308431/jsf-2-2-protectedviewexception-due-to-origin-header-and-appcontextpath-mismatch
> Any help is much appreciated.
> Does the "Origin" request-header is supposed to have the appContextPath in the path/urlInfo
?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message