JSF <protected-views>令牌不一致

时间:2017-05-23 03:09:34

标签: jsf jsf-2.2 mojarra protected-views

我目前在使用JSF的<protected-views>生成的令牌方面遇到了麻烦。

我在faces-config.xml

中添加了我要保护的页面
<protected-views>
    <url-pattern>/restricted/account-management/users.xhtml</url-pattern>
    <url-pattern>/restricted/account-management/users.jsf</url-pattern>
</protected-views>

然后,例如,当我使用<h:link>

进入用户页面时
<h:link outcome="users" title="View">
    <f:param name="user" value="#{e.id}" />
</h:link>

网址中生成的令牌是

/restricted/account-management/users.jsf?javax.faces.Token=OW5KkkfJZrrfmZSXwA%253D%253D&user=4

该页面返回ProtectedViewException

然后我发现正确的令牌实际上是:

/restricted/account-management/users.jsf?javax.faces.Token=OW5KkkfJZrrfmZSXwA%3D%3D

令牌已在网址中进行了编码,其中%变为%25。当我将正确的令牌复制粘贴到URL中时,我会成功进入用户页面。

任何帮助都将不胜感激。

1 个答案:

答案 0 :(得分:0)

这是Mojarra JSF实施版2.2.11及更高版本的问题,您可以在https://github.com/javaee/javaserverfaces-spec/issues/1161https://github.com/javaserverfaces/mojarra/issues/4139

中查看有关问题的详细信息

处理该问题的另一种方法是创建一个CustomExternalContext来处理双重编码。

首先,您需要在faces-config.xml中声明一个CustomExternalContextFactory:

<factory>
    <external-context-factory>com.proitc.config.CustomExternalContextFactory</external-context-factory>
</factory>

在ExternalContextFactory中定义CustomExternalContext:

public class CustomExternalContextFactory extends ExternalContextFactory {

  private ExternalContextFactory externalContextFactory;

  public CustomExternalContextFactory() {}

  public CustomExternalContextFactory(ExternalContextFactory externalContextFactory) {
    this.externalContextFactory = externalContextFactory;
  }

  @Override
  public ExternalContext getExternalContext(Object context, Object request, Object response)
      throws FacesException {

    ExternalContext handler = new CustomExternalContext((ServletContext) context,
        (HttpServletRequest) request, (HttpServletResponse) response);

    return handler;
  }

}

CustomExternalContext重写方法encodeBookmarkableURL和encodeRedirectURL:

public class CustomExternalContext extends ExternalContextImpl {

  public CustomExternalContext(ServletContext sc, ServletRequest request,
      ServletResponse response) {
    super(sc, request, response);
  }

  @Override
  public String encodeBookmarkableURL(String baseUrl, Map<String, List<String>> parameters) {
    FacesContext context = FacesContext.getCurrentInstance();
    String encodingFromContext =
        (String) context.getAttributes().get(RIConstants.FACELETS_ENCODING_KEY);
    if (null == encodingFromContext) {
      encodingFromContext =
          (String) context.getViewRoot().getAttributes().get(RIConstants.FACELETS_ENCODING_KEY);
    }
    String currentResponseEncoding =
        (null != encodingFromContext) ? encodingFromContext : getResponseCharacterEncoding();
    UrlBuilder builder = new UrlBuilder(baseUrl, currentResponseEncoding);
    builder.addParameters(parameters);
    String secureUrl = builder.createUrl();

    //Handle double encoding
    if (parameters.size() > 0 && baseUrl.contains("javax.faces.Token")) {
      try {
        int beginToken = secureUrl.indexOf("javax.faces.Token");
        int endToken = secureUrl.indexOf("&") - 1;
        String doubleEncodeToken = secureUrl.substring(beginToken, endToken);
        String encodeToken = URLDecoder.decode(doubleEncodeToken, currentResponseEncoding);
        secureUrl = secureUrl.replace(doubleEncodeToken, encodeToken);
      } catch (UnsupportedEncodingException e) {
        throw new RuntimeException(e);
      }
    }
    return secureUrl;
  }

  @Override
  public String encodeRedirectURL(String baseUrl, Map<String, List<String>> parameters) {
    FacesContext context = FacesContext.getCurrentInstance();
    String encodingFromContext =
        (String) context.getAttributes().get(RIConstants.FACELETS_ENCODING_KEY);
    if (null == encodingFromContext) {
      encodingFromContext =
          (String) context.getViewRoot().getAttributes().get(RIConstants.FACELETS_ENCODING_KEY);
    }

    String currentResponseEncoding =
        (null != encodingFromContext) ? encodingFromContext : getResponseCharacterEncoding();

    UrlBuilder builder = new UrlBuilder(baseUrl, currentResponseEncoding);
    builder.addParameters(parameters);
    String secureUrl = builder.createUrl();
    //Handle double encoding
    if (parameters.size() > 0 && baseUrl.contains("javax.faces.Token")) {
      try {
        int beginToken = secureUrl.indexOf("javax.faces.Token");
        int endToken = secureUrl.indexOf("&") - 1;
        String doubleEncodeToken = secureUrl.substring(beginToken, endToken);
        String encodeToken = URLDecoder.decode(doubleEncodeToken, currentResponseEncoding);
        secureUrl = secureUrl.replace(doubleEncodeToken, encodeToken);
      } catch (UnsupportedEncodingException e) {
        throw new RuntimeException(e);
      }
    }
    return secureUrl;
  }

}

您可以在https://github.com/earth001/jsf-protected-view

中找到一个有效的例子