I am new to JSF and Primefaces and I am trying to implement custom portlets for liferay using Primefaces. To submit simple form data I'm using ajax as follows:
<f:ajax execute="#form" render="#form :message-show" listener="#{dataController.addData}" onevent="updateProgresBar" />
Submit will result into ajax call, which has a parameter in url with view mapping, e.g.
_sampleportlet_WAR_servicexy_INSTANCE_eVh2tM4zSkIj__facesViewIdResource=%2Fview.xhtml
Can you advice whether this view.xhtml mapping is protected against open redirection vulnerabilities as part of JSF/Primefaces spec. or this need to be handled manually? If so, could you advice what is best practice to implement it e.g. some custom filter etc.?
Thanks in advance
It is the developer's responsibility to ensure that the current Liferay user has permission to visit specific JSF views that are contained in the portlet application, execute managed bean methods, etc.
For more details, see How do I do security in JSF?
Note that there were three vulnerabilities in Liferay Faces Bridge that were either directly or indirectly related to your question:
FACES-1917
FACES-2343
FACES-2361
In order to ensure that you are using versions of Liferay Faces dependencies that contain fixes for these issues, visit the liferayfaces.org home page and use the drop-down menus to choose your version of Liferay Portal and JSF. After making a selection, the home page will update with the latest Maven/Gradle dependencies.
Related
I need to add some behavior to all my portlets.
It must be some ajax query that check some condition and if it is true - show message.
At the first I decided to add some html to my portal skin for my applications. In this html I add js-script to make ajax query. But I don't know the context, to send query, because we use WSRP to access our portlets. Thats why I cannot get WSRP context and make query.
Second thought was to add common jsp in all portlets, and in this jsp make logic (from jsp I can get context). But it is not good if I will change all portlets jsp (using tag "include").
So my questions next:
How to add behavior to all portlets?
How to get WSRP context in JS?
How to add jsp to all portlets, without changing portlets jsp?
P.S. And I cannot touch portal's theme, anyway.
You should be able to use a global portlet filter for this in WebSphere Portal. You create a WAR module with the filter class in it, and deploy it to the application server on which WPS is running. It must have a file called plugin.xml in WEB-INF which describes your global filter(s) via eclipse plug point mechanisms within Portal. Your class must implement any of the sub-types of javax.portlet.filter.PortletFilter standard interfaces, meaning the code you write is standards based.
If you implement a global portlet filter, you must understand that it will be invoked for every portlet invoked on the portal - including administrative ones. To avoid running your intended logic where you do not wish to do so, check the context path of each request.
From the WPS Knowledge Center article:
Because global portlet filters affect all portlets running in the
given portlet container, the console modules that are contained in the
Integrated Solutions Console are also filtered. It is important to
test your filter implementation for undesired side effects on console
modules or portlets. One approach is to test by checking the context
path of the request in your filter logic.
I don't know the context path of the WSRP portlet off top of my head, but some SystemOut logging should help you identify what this value is and point you in the right direction.
Lastly, there is an article with sample code describing the technique on the portal wiki.
We have projects using Struts 2.0 and 2.1.
We're using web-hosting with Tomcat and both projects are working fine on remote servers. Recently, we got warning message from the webhosting provider, like:
This notice is inform you that recently numerous vulnerabilities have been discovered related to Struts and Struts2 frameworks and other frameworks which use OGNL classes.
Since your application is using Struts or Struts2 framework, we HIGHLY recommend that you URGENTLY update it to the most recent version: Struts v2.3.16.1
After research, we found there're consistent upgrades:
http://struts.apache.org/announce.html
Therefore, we tried to upgrade our Struts2 to 2.3.16.3 (latest version at present). However, we found it's not a trivial task to upgrade Struts2, since everything doesn't work, including AJAX tags, AJX form submit, auto-complete, etc. In this sense, Struts 2 is not well designed for scalability.
One example is that whenever we submit our AJAX form, the result will be in a new page instead of in the targets field defined in the sx:submit or sj:submit tag. We don't want to re-write all the codes just because of the upgrade.
We want to know if we don't upgrade Struts2 to the latest version, what kind of vulnerabilities our web application will face. Could anyone give us more details or any hint for solutions based on our situation? Thanks so much.
You are probably looking for Security Bulletins. Each documents describe the summary, problem, and solution to resolve the problem. At the end of each document you can find hotfixes if they are available.
One example is that whenever we submit our ajax form, the result will
be in a new page instead of in the targets field defined in the
sx:submit or sj:submit tag.
It seems you are using struts2 and struts 2 jquery plugin, so try to update to struts 2 jquery 3.7.0 too.
I recommend to accept some reworks and upgrade as some security issues are high.
There are some key parts which has changed and may need to be considered during upgrade like acceptableParameterName. Also review your param interceptor stack and list of exclude parameters.
What are the major differences between primefaces version 3.5.x and 4.x besides the obvious java-ee-7 compliance in the 4.x versions? Has version 4.x been rewritten internally? If so what are the differences? I am currently using primefaces 3.5.20, so many of the new or updated components are already available. Has there been any work to streamline ajax throughput?
There are many improvements:
The main one is the integration with jsf-2.2 specification. As JSF 2.2 is servlet 3.x compatible, the file upload system has changed in order to take advantage of servlet 3.x features and make it in html 5 way. It also includes support for HTML pass through attributes, included at JSF 2.2 and able to include non-JSF attributes at the rendered page.
Client Side Validation Framework: I still have to try that, but one of the lacks of vanilla-plain JSF is the absence of client side validation. JSF is known for being a server side framework. However, sometimes client validation is also convenient in order to bring the end user a greater experience. Primefaces 4 is supposed to include that (in fact they've been working to adapt their aproach to HTML5 standards).
Search expressions: Something in JSF that can puzzle you is searching the component ids at client side. JSF uses its own preffixed identifiers, so sometimes it is difficult to search for what you want. JSF 2.2 provides a set of keywords: "#this", "#form", "#all", "#none", in order to simplify what you want to make a reference to. In primefaces 4 apart from that, you've got #composite which resolves the closest CompositeComponent parent, #widgetVar(name) which resolves a component by its widgetVar and #child(index) which resolves the nth child.
Lots of bug fixes and component improvements, some of them have been done in parallel with 3.5.x series.
About ajax perfomance, I know there have been some issues in concrete cases, but apart from fixing them and adding new capabilities to their jquery-ajax utilities, I'm not aware about more improvements.
See also:
Primefaces 4 improvements
Default text (placeholder) in InputText component
Search expressions in PrimeFaces 4
I have completed setting up Spring Security using the roo shell as a guide and it has generated several views, amongst them is the login.jspx. I am trying to create a custom login form using Vaadin's Visual editor and Eclipse, how can i redirect the user to my login form and then use Spring Security to validate and authenticate the user as well as start a session management? I am really trying to avoid JSP since the rest of my application is using Vaadin as its Core Front-End
vaadin has some limitations on the login form.
Have a look at: https://vaadin.com/book/-/page/components.loginform.html so you will notice what I mean.
You can also have a look at the vaadin wiki (https://vaadin.com/wiki). There are several articles on your topic. You may find your solution there :)
kind regards
.zip
I have a project with the following setup:
Tomcat 6.x
Struts 2.1.6
DisplayTag 1.2
Spring 2.x (1 or 5, don't remember now)
I want to know to to do session controlling in every action of my app, like if the users weren't logged in, they're redirect to certain page to login (in the case of my project, either the user come to a special crafted url like login/SPECIALHASHTOLOGIN or won't enter at all.
Need more details?
Thx in advance.
I'm still new to S2 as well, but I believe what you will need to do is modify the default interceptor stack (or create a custom stack) and add a custom interceptor. This custom interceptor will need to implement SessionAware to access the user session, and must implement your custom logic (which action to redirect to, which URLs do not need protection, etc.).
Here is a good tutorial of a LoginInterceptor that behaves similar to what you are requesting.
Acegi security is a great way to add security to your web app if you're already using Spring. Here's a decent 1-hour Acegi tutorial.