myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Łukasz Budnik" <lukasz.bud...@gmail.com>
Subject Re: serious security BUG in MyFaces 1.2.2
Date Wed, 12 Mar 2008 11:36:35 GMT
Hi All!

I've written very simple work around for this. I use session backing
bean: AuthorizationController to store user and his/hers roles and
AuthorizationPhaseListener to retrieve the roles and users from the
original request.

This is how it looks like:

public class AuthorizationPhaseListener implements PhaseListener {

	private static final long serialVersionUID = 2078973126942159155L;

	protected final static Logger logger = Logger
			.getLogger(AuthorizationPhaseListener.class);

	@SuppressWarnings("deprecation")
	public void afterPhase(PhaseEvent phaseEvent) {
		FacesContext facesContext = phaseEvent.getFacesContext();

		// check if user has been authorized by JAAS, if not return
		if (facesContext.getExternalContext().getRemoteUser() == null) {
			return;
		}

		// there is a remote user set by JAAS

		// MyFaces 1.2.2 security bug, cannot retrieve managed bean because it
		// erases all roles, copy them before ;)
		Map<String, Boolean> rolesMap = new HashMap<String, Boolean>(4);
		String[] roles = new String[] { "viewer", "executor", "creator",
				"admin" };

		for (String role : roles) {
			logger.debug("Is user in '"
					+ role
					+ "' role? ==> "
					+ phaseEvent.getFacesContext().getExternalContext()
							.isUserInRole(role));
			rolesMap.put(role, phaseEvent.getFacesContext()
					.getExternalContext().isUserInRole(role));
		}

		AuthorizationController authorizationController =
(AuthorizationController) facesContext
				.getApplication().createValueBinding(
						"#{AuthorizationController}").getValue(facesContext);

		logger.debug("Remote user is ==> "
				+ facesContext.getExternalContext().getRemoteUser());
		logger.debug("Authorized user is ==> "
				+ authorizationController.getUser());

		// if user is already authorized, return
		if (authorizationController.getUser() != null
				&& facesContext.getExternalContext().getRemoteUser() != null) {
			return;
		}

		// if not, proceed

		// load user
		authorizationController.loadUser(facesContext.getExternalContext()
				.getRemoteUser());

		// and set proper roles
		for (String role : rolesMap.keySet()) {
			if (rolesMap.get(role)) {
				authorizationController.setRole(role);
			}
		}

	}

	public void beforePhase(PhaseEvent phaseEvent) {
	}

	public PhaseId getPhaseId() {
		return PhaseId.RESTORE_VIEW;
	}

}


now, inside any view I can now user for example
rendered="#{AuthorizationController.admin}"

best regards
Łukasz

On 12/03/2008, Łukasz Budnik <lukasz.budnik@gmail.com> wrote:
> Hi All!
>
>  I had some trouble with Tomahawk's visibleOnUserRole.
>  Also, I've tried the securityContext from Tomahawk Sandbox, but it
>  didn't work either.
>
>  I've written simple tests, in every case I use following array of roles:
>
>  String[] roles = new String[] { "viewer", "executor", "creator", "admin" };
>
>  inside TestFilter.doFilter I have:
>
>  for (String role : roles) {
>         logger.debug("Is user in '" + role + "' role? ==> "
>         + ((HttpServletRequest) request).isUserInRole(role));
>  }
>
>  inside TestPhaseListener.afterPhase/beforePhase:
>
>  for (String role : roles) {
>         logger.debug("**after/before** phase Is user in '" + role + "' role? ==> "
>         + phaseEvent.getFacesContext().getExternalContext().isUserInRole(role));
>  }
>
>  and finally inside TestBackingBean I have two loops:
>
>  for (String role : roles) {
>         logger.debug("Is user in '" + role + "' role? ==> "
>         + FacesContext.getCurrentInstance().getExternalContext().isUserInRole(role));
>  }
>  for (String role : roles) {
>         logger.debug("Is user in '" + role + "' role? ==> "
>         + ( (HttpServletRequest)
>  FacesContext.getCurrentInstance().getExternalContext().getRequest()).isUserInRole(role));
>  }
>
>  after successful signing in, I browse a random page, and here's what I
>  see in my log:
>
>  first control flow goes to the filter:
>
>  01:27:28,000 DEBUG [TestFilter] Is user in 'viewer' role? ==> true
>  01:27:28,000 DEBUG [TestFilter] Is user in 'executor' role? ==> true
>  01:27:28,000 DEBUG [TestFilter] Is user in 'creator' role? ==> true
>  01:27:28,000 DEBUG [TestFilter] Is user in 'admin' role? ==> true
>
>  as expected ;)
>
>  now, MyFaces beforePhase:
>
>  01:27:28,015 DEBUG [TestPhaseListener] before phase Is user in
>  'viewer' role? ==> true
>  01:27:28,015 DEBUG [TestPhaseListener] before phase Is user in
>  'executor' role? ==> true
>  01:27:28,015 DEBUG [TestPhaseListener] before phase Is user in
>  'creator' role? ==> true
>  01:27:28,015 DEBUG [TestPhaseListener] before phase Is user in 'admin'
>  role? ==> true
>
>  perfect!
>
>  and afterPhase:
>
>  01:27:28,015 DEBUG [TestPhaseListener] after phase Is user in 'viewer'
>  role? ==> true
>  01:27:28,015 DEBUG [TestPhaseListener] after phase Is user in
>  'executor' role? ==> true
>  01:27:28,015 DEBUG [TestPhaseListener] after phase Is user in
>  'creator' role? ==> true
>  01:27:28,015 DEBUG [TestPhaseListener] after phase Is user in 'admin'
>  role? ==> true
>
>  couldn't be better!
>
>
>  BUT ;(
>
>  inside the backing bean:
>
>  01:27:28,171 DEBUG [TestBackingBean] Is user in 'viewer' role? ==> false
>  01:27:28,171 DEBUG [TestBackingBean] Is user in 'executor' role? ==> false
>  01:27:28,171 DEBUG [TestBackingBean] Is user in 'creator' role? ==> false
>  01:27:28,171 DEBUG [TestBackingBean] Is user in 'admin' role? ==> false
>  01:27:28,187 DEBUG [TestBackingBean] Is user in 'viewer' role? ==> false
>  01:27:28,187 DEBUG [TestBackingBean] Is user in 'executor' role? ==> false
>  01:27:28,187 DEBUG [TestBackingBean] Is user in 'creator' role? ==> false
>  01:27:28,187 DEBUG [TestBackingBean] Is user in 'admin' role? ==> false
>
>  disaster!
>
>  security in MyFaces 1.2.2 does not work at all (except for phase
>  listeners, which is useless for me anyway).
>
>  any idea how to fix it?
>
>  best regards
>
> Łukasz
>
Mime
View raw message