[jira] [Commented] (MYFACES-4058) ProtectedViewException for a protectedview access while checking the OriginHeader for appContextPath

Fri, 15 Jul 2016 06:26:38 -0700 

    [ 
https://issues.apache.org/jira/browse/MYFACES-4058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15379372#comment-15379372
 ] 

Dinesh Kumar A S commented on MYFACES-4058:
-------------------------------------------

hi Leo, Thanks for response..

I am using Chrome. And this happens in IE too.

In my application, we have different WebApplications running and for all those 
web-apps we are setting Origin Header as http://domain:port and when an user is 
 entering into one of the web-application scope a Referrer 
http://domain:port/app1/somefile , http://domain:port/app1/someprotectedfile is 
set..

The problem occurs, when we are making the someprotectedfile as Protected-View 
, when the Referer was sent as http://domain:port/app1/somefile, and the 
Origin-header as http://domain:port ..
In this case Referer-check is getting Passed but not the Origin since the app1 
contextPath is not found in Origin header.

I am wondering how it could be handled , without setting Origin as 
http://domain:port/app1/ .

For the question,  " another app in the same server maybe?" 
--> Yes I think so, we have many web applications, hosted in a same domain, 
having different contextPaths. Origin willbe jsut the domain for all apps.


> ProtectedViewException for a protectedview access while checking the 
> OriginHeader for appContextPath
> ----------------------------------------------------------------------------------------------------
>
>                 Key: MYFACES-4058
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4058
>             Project: MyFaces Core
>          Issue Type: Bug
>          Components: General
>    Affects Versions: 2.2.6
>         Environment: Windows, JSF 2.2
>            Reporter: Dinesh Kumar A S
>
> Getting ProtectedViewException while accessing a protectedview/xhtml, while 
> checking the OriginHeader for appContextPath..
> SO reference : 
> http://stackoverflow.com/questions/38308431/jsf-2-2-protectedviewexception-due-to-origin-header-and-appcontextpath-mismatch
> Any help is much appreciated.
> Does the "Origin" request-header is supposed to have the appContextPath in 
> the path/urlInfo ?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to