Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

<partial-response> XML shown as plain text after ajax redirect on security constraint in WildFly

I've got this weird problem with ajax redirect on a security constraint:

When an ajax call is made (by clicking on a sortable p:dataTable column or when a p:poll triggers) on a role-secured page after my session timed out, a <partial-response><redirect-url=... XML from OmniFaces is shown on the screen.

When I remove OmniFaces, the ajax calls seem to fail silently and I don't get the XML shown.

Security is configured as following in web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Pages</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>user</role-name>
    </auth-constraint>
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Resources</web-resource-name>
        <url-pattern>/javax.faces.resource/*</url-pattern>
    </web-resource-collection>
</security-constraint>

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>myRealm</realm-name>
    <form-login-config>
        <form-login-page>/login.xhtml</form-login-page>
        <form-error-page>/login.xhtml?error=true</form-error-page>
    </form-login-config>
</login-config>

<security-role>
    <role-name>user</role-name>
</security-role>
like image 827
Xavier Dury Avatar asked Mar 07 '16 10:03

Xavier Dury


1 Answers

I reproduced it. This is a strange quirk/bug in WildFly itself.

What's happening here?

By default, without OmniFaces, when a request is fired on a constrained page while the session is expired, the server by default returns the entire HTML page identified by <form-login-page> as response, regardless of the source of the request. This obviously fails with JSF ajax requests as the JavaScript responsible for processing ajax requests couldn't deal with a whole HTML page as response where it expected a special XML response. The user is left with no form of feedback. This is since OmniFaces 1.2 fixed in its OmniPartialViewContext, triggered by this related question: ViewExpiredException not thrown on ajax request if JSF page is protected by j_security_check.

With OmniFaces, a special JSF ajax redirect response in form of <partial-response><redirect url="originalURL"> is returned instead of the entire login page, and the security constraint is triggered once again, but this time with a real synchronous request instead of an JSF ajax request. When the server returns the entire <form-login-page>, it would work just fine this way.

WildFly (tested only 10.0.0 as of now), however, appears to cache the entire <form-login-page> response of the 1st security constraint hit in the session (whereas it is expected to cache only the associated request) and return exactly that response on every hit of a constrained request. That's why you see the initial <partial-response> XML response every time.

As per this commit I have bypassed it by explicitly invalidating the session once again before generating the ajax redirect in OmniPartialViewContext. The fix is available in OmniFaces 2.3.

like image 178
BalusC Avatar answered Oct 23 '22 01:10

BalusC