[
https://issues.apache.org/jira/browse/ROL-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13936349#comment-13936349
]
Glen Mazza edited comment on ROL-1992 at 3/16/14 12:16 AM:
-----------------------------------------------------------
Appears to be the same problem in ROL-1956 -- this a multipart/form-data JSP
and for some reason the Salt values aren't being sent as a result. The error
message from the Tomcat localhost*.log is as follows:
SEVERE: Servlet.service() for servlet [default] in context with path [/roller]
threw exception [Security Violation] with root cause
javax.servlet.ServletException: Security Violation
at
org.apache.roller.weblogger.ui.core.filters.ValidateSaltFilter.doFilter(ValidateSaltFilter.java:57)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.roller.weblogger.ui.core.filters.LoadSaltFilter.doFilter(LoadSaltFilter.java:47)
Code in question in ValidateSaltFilter:
// TODO multipart/form-data does not send parameters
if (httpReq.getMethod().equals("POST") &&
!isIgnoredURL(((HttpServletRequest) request).getServletPath()))
{
String salt = httpReq.getParameter("salt");
SaltCache saltCache = SaltCache.getInstance();
if (salt == null || saltCache.get(salt) == null ||
saltCache.get(salt).equals(false)) {
throw new ServletException("Security Violation");
}
}
was (Author: gmazza):
Appears to be the same problem in ROL-1956 -- this a multipart/form-data JSP
and for some reason the Salt values aren't being sent as a result. The error
message from the Tomcat localhost*.log is as follows:
SEVERE: Servlet.service() for servlet [default] in context with path [/roller]
threw exception [Security Violation] with root cause
javax.servlet.ServletException: Security Violation
at
org.apache.roller.weblogger.ui.core.filters.ValidateSaltFilter.doFilter(ValidateSaltFilter.java:57)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.roller.weblogger.ui.core.filters.LoadSaltFilter.doFilter(LoadSaltFilter.java:47)
Code in question in ValidateSaltFilter:
// TODO multipart/form-data does not send parameters
if (httpReq.getMethod().equals("POST") &&
!isIgnoredURL(((HttpServletRequest) request).getServletPath()))
{
String salt = httpReq.getParameter("salt");
SaltCache saltCache = SaltCache.getInstance();
if (salt == null || saltCache.get(salt) == null
|| saltCache.get(salt).equals(false)) {
throw new ServletException("Security Violation");
}
}
> Blogroll OPML import page raising 500 Security Error
> ----------------------------------------------------
>
> Key: ROL-1992
> URL: https://issues.apache.org/jira/browse/ROL-1992
> Project: Apache Roller
> Issue Type: Bug
> Components: User Interface - General
> Affects Versions: 5.1
> Reporter: Glen Mazza
> Assignee: Roller Unassigned
>
> For some reason, the Bookmark OPML import page continually raises a 500
> security violation error whether I select "import" or even "cancel". The
> other two options on the blogroll page, "Add New Folder" and "Add new
> bookmark", their cancel buttons work fine. Unsure what the problem is. The
> security.xml doesn't seem to be treating the OPML page any different from the
> other two; one difference however is that BookmarksImport.jsp's s:form
> element has method="POST" & enctype="multipart/form-data" attributes while
> the other two omit that.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
