myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Łukasz Budnik" <lukasz.bud...@gmail.com>
Subject serious security BUG in MyFaces 1.2.2
Date Wed, 12 Mar 2008 00:53:46 GMT
Hi All!

I had some trouble with Tomahawk's visibleOnUserRole.
Also, I've tried the securityContext from Tomahawk Sandbox, but it
didn't work either.

I've written simple tests, in every case I use following array of roles:

String[] roles = new String[] { "viewer", "executor", "creator", "admin" };

inside TestFilter.doFilter I have:

for (String role : roles) {
	logger.debug("Is user in '" + role + "' role? ==> "
	+ ((HttpServletRequest) request).isUserInRole(role));
}

inside TestPhaseListener.afterPhase/beforePhase:

for (String role : roles) {
	logger.debug("**after/before** phase Is user in '" + role + "' role? ==> "
	+ phaseEvent.getFacesContext().getExternalContext().isUserInRole(role));
}

and finally inside TestBackingBean I have two loops:

for (String role : roles) {
	logger.debug("Is user in '" + role + "' role? ==> "
	+ FacesContext.getCurrentInstance().getExternalContext().isUserInRole(role));
}
for (String role : roles) {
	logger.debug("Is user in '" + role + "' role? ==> "
	+ ( (HttpServletRequest)
FacesContext.getCurrentInstance().getExternalContext().getRequest()).isUserInRole(role));
}

after successful signing in, I browse a random page, and here's what I
see in my log:

first control flow goes to the filter:

01:27:28,000 DEBUG [TestFilter] Is user in 'viewer' role? ==> true
01:27:28,000 DEBUG [TestFilter] Is user in 'executor' role? ==> true
01:27:28,000 DEBUG [TestFilter] Is user in 'creator' role? ==> true
01:27:28,000 DEBUG [TestFilter] Is user in 'admin' role? ==> true

as expected ;)

now, MyFaces beforePhase:

01:27:28,015 DEBUG [TestPhaseListener] before phase Is user in
'viewer' role? ==> true
01:27:28,015 DEBUG [TestPhaseListener] before phase Is user in
'executor' role? ==> true
01:27:28,015 DEBUG [TestPhaseListener] before phase Is user in
'creator' role? ==> true
01:27:28,015 DEBUG [TestPhaseListener] before phase Is user in 'admin'
role? ==> true

perfect!

and afterPhase:

01:27:28,015 DEBUG [TestPhaseListener] after phase Is user in 'viewer'
role? ==> true
01:27:28,015 DEBUG [TestPhaseListener] after phase Is user in
'executor' role? ==> true
01:27:28,015 DEBUG [TestPhaseListener] after phase Is user in
'creator' role? ==> true
01:27:28,015 DEBUG [TestPhaseListener] after phase Is user in 'admin'
role? ==> true

couldn't be better!


BUT ;(

inside the backing bean:

01:27:28,171 DEBUG [TestBackingBean] Is user in 'viewer' role? ==> false
01:27:28,171 DEBUG [TestBackingBean] Is user in 'executor' role? ==> false
01:27:28,171 DEBUG [TestBackingBean] Is user in 'creator' role? ==> false
01:27:28,171 DEBUG [TestBackingBean] Is user in 'admin' role? ==> false
01:27:28,187 DEBUG [TestBackingBean] Is user in 'viewer' role? ==> false
01:27:28,187 DEBUG [TestBackingBean] Is user in 'executor' role? ==> false
01:27:28,187 DEBUG [TestBackingBean] Is user in 'creator' role? ==> false
01:27:28,187 DEBUG [TestBackingBean] Is user in 'admin' role? ==> false

disaster!

security in MyFaces 1.2.2 does not work at all (except for phase
listeners, which is useless for me anyway).

any idea how to fix it?

best regards
Łukasz
Mime
View raw message