[jira] [Commented] (MYFACES-4058) ProtectedViewException for a protectedview access while checking the OriginHeader for appContextPath

Wed, 13 Jul 2016 17:12:58 -0700 

    [ 
https://issues.apache.org/jira/browse/MYFACES-4058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15376042#comment-15376042
 ] 

Leonardo Uribe commented on MYFACES-4058:
-----------------------------------------

Yes, it is intentional to have the appContextPath in the path/urlInfo and check 
the Origin header in the same way the Referer header is done. See JSF 2.2 
section 2.2.1 in the part that talks about View Protection:

"... If the values do match, look for a Referer [sic] request header. If the 
header is present, use the protected view API to determine if any of the 
declared protected views match the value of the Referer header. If so, conclude 
that the previously visited page is also a protected view and it is therefore 
safe to continue. Otherwise, try to determine if the value of the Referer 
header corresponds to any of the views in the current web application. If not, 
throw a ProtectedViewException. If the Origin header is present, additionally 
perform the same steps as with the Referer header. ..."

I think It is possible to modify this behavior adding some web config custom 
param, but before that we need a strong justification about a valid use case. 
Could you please describe the case you have a bit more? which browser are you 
using? from where the request is triggered? another app in the same server 
maybe?

 

> ProtectedViewException for a protectedview access while checking the 
> OriginHeader for appContextPath
> ----------------------------------------------------------------------------------------------------
>
>                 Key: MYFACES-4058
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4058
>             Project: MyFaces Core
>          Issue Type: Bug
>          Components: General
>    Affects Versions: 2.2.6
>         Environment: Windows, JSF 2.2
>            Reporter: Dinesh Kumar A S
>
> Getting ProtectedViewException while accessing a protectedview/xhtml, while 
> checking the OriginHeader for appContextPath..
> SO reference : 
> http://stackoverflow.com/questions/38308431/jsf-2-2-protectedviewexception-due-to-origin-header-and-appcontextpath-mismatch
> Any help is much appreciated.
> Does the "Origin" request-header is supposed to have the appContextPath in 
> the path/urlInfo ?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to