mixing user session data in jboss - session

if someone can help with JBoss returning data from wrong user. Our setup is JBOSS 7.1.1 with Vaadin 7.1.6 and Shiro.
Our current problem is when multiple users use our Vaadin application it frequently returning data from other users to another curently loged user,. ie it is mixing users data. We have tried reinstaling the PC, changing browsers, disabling caching..., nothing helped. We aded CDI UI addon from Vaadin but it doesnt help.
Our previous issue with similar problem
Shiro returning wrong user data
We resolved some other authentication problems with disabling push but this problem stil persist.
Any help apreciated

I have the same problem but when i got to this page my web.xml was already setup.
I´m using JBoss AS 7.1.1, JSF 2 and Shiro. A user receive data from another sessionScope ManagedBean after an ajax call.
Any help apreciated.

If enyone else has the same issue, this is what you need to add to your web.xml:
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
...
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>

Related

Oracle Weblogic Server Client Error Message Supress or Restrict

I would like to restrict client side error message on Weblogic.
I havent found any solution on it. In that image, would like to suppress bea_fault:stacktrace part.
First of all, you have not explicitly specified which web service technology you are using. I guess that is jax-rpc.
So, i think, you can solve by following ways.
By editing web.xml, you can get response message. ExceptionHandler must be implements javax.servlet.Filter.
<filter>
<filter-name>ExceptionHandler</filter-name>
<filter-class>ExceptionHandler</filter-class>
</filter>
<filter-mapping>
<filter-name>ExceptionHandler</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>

Spring Security with PrimeFaces Dialog Framework

I have a web Project which uses Spring security and Primefaces.
I am trying to use Primefaces Dialog Framework to call any XHTML File as a dialog .. my problem is when I add this line on my web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The dialog Box doesn't appear , if I remove the line above , the dialog box is being displayed .. but If I remove the lines above , I loose the spring security feature .. any configuration I missed?
Yes, Spring Security is blocking the frame generated by Primefaces. You can make it work by adding the following directive to Spring Security configuration
http
// ...
.headers().frameOptions().sameOrigin();
source:
http://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html#headers-frame-options

Spring security and special characters

I need to log in with j_spring_security_check using special characters in the username and/or in the password via url
http://localhost:8080/appname/j_spring_security_check?j_username=username&j_password=üüü
isn't working and
http://localhost:8080/appname/j_spring_security_check?j_username=username&j_password=%c3%bc%c3%bc%c3%bc
(with "üüü" urlencoded)
isn't working either
Any suggestion? Let me know if you need to see any other configuration.
Thanks
The Java Servlet standard is lamentably poor at supporting Unicode. The default of ISO-8859-1 is useless and there is still no cross-container-compatible means of configuring it to something else.
The filter method in matteosilv's answer works for request bodies. For parameters in the URL, you have to use container-specific options. For example in Tomcat, set URIEncoding on the <Connector> in server.xml; in Glassfish it's <parameter-encoding> in glassfish-web.xml.
(If you have to work in a fully cross-container-compatible manner you end up having to write your own implementation of getParameter(), which is sad indeed. Bad Servlet.)
However in any case it is a bad idea to pass login form fields in GET URL parameters.
This is firstly because a login causes a state-change to occur, so it is not "idempotent". This makes GET an unsuitable method and causes a load of practical problems like potentially logging you in when you navigate a page, or failing to log you in due to caching, and so on.
Secondly there are a range of ways URLs can 'leak', including referrer tracking, logging, proxies and browser history retention. Consequently you should never put any sensitive data such as a password in a URL, including in GET form submissions.
I'd suggest using a POST form submission instead, together with the CharacterEncodingFilter.
Maybe an encodingFilter in the web.xml file could be helpful:
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>
org.springframework.web.filter.CharacterEncodingFilter
</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
source: Spring security: Form login special characters
The issue was actually solved for me by moving the CharacterEncodingFilter ABOVE the SpringSecurityFilterChain in web.xml.

openSessionInView implementation and LOCK

I am trying to develop an application using Spring 2.5.5 Flex/J2EE and Hibernate 3.1.3.
My problem is that when a user opens the "Customer Information" screen and then displays informations of a client in change mode, I want the record to be locked (Pessimistic or optimistic lock Lock) as appropriate. And registration remains locked until the user validates the change (commit ()) or closes the screen.
They talk on the net about long conversation (Hibernate), and openSessionInView pattern. But I have not found a clear example.
The solution is to keep the Hibernate session open until the end of entry.
then made ​​the commit or rollback.
I try to use the class: "org.springframework.orm.hibernate3.support.OpenSe ssionInViewInterceptor" but I did not succeed.
I do not know how to configure it with Spring.
I spent too much time and it becomes urgent ... Who can help me??
Thank you in advance.
OpenSessionInViewInterceptor has to be configured in your web.xml
Sample below:
<filter>
<filter-name>openSessionInViewFilter</filter-name>
<filter-class>
org.springframework.orm.hibernate3.support.OpenSessionInViewFilter
</filter-class>
<init-param>
<param-name>sessionFactoryBeanName</param-name>
<param-value>sessionFactory</param-value> <!-- This is the default value, in case you have given different name please specify the same. -->
</init-param>
</filter>
Also check the documentation for subtle issues.

Vaadin configuration with BIRT

I'm useing Vaadin and BIRT reporting in my project.I have problem with accessing report with Vaadin,I think its related to my web.xml configuration.Can anyone help me to get out from this problem??
< /servlet-mapping>
<servlet-name>VaadinApplicationServlet</servlet-name>
<url-pattern>/VAADIN/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>VaadinApplicationServlet</servlet-name>
<url-pattern>/MyProject/*</url-pattern>
</servlet-mapping>
If i put url pattern like this.it shows index.jsp page as first page.
< /servlet-mapping>
<servlet-name>VaadinApplicationServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
If I configure the url pattern as "/*" it works fine and load the vaadin UI
but the problem is if I put 2nd configuration I can not load the report to browser,It always redirect to my current vaadin UI page (When I click the button to load the report)
If put first configuration I can access report directly ,But It does not load the vaadin UI.
Can any one help me to solve this problem??
Thank you.
Cheers
The first configuration should be ok, but you have to access your application differently:
Try
http://localhost:8080/[display-name]/MyProject
You should find the display-name right above the first context-param
<display-name>IamTheDisplayName</display-name>
<context-param>
<description>Vaadin production mode</description>
<param-name>productionMode</param-name>
<param-value>false</param-value>
</context-param>

Resources