[richfaces-issues] [JBoss JIRA] (RF-13098) Regression: mediaOutput broken for CDI MediaData beans

Thu, 15 Aug 2013 16:28:44 -0700 

    [ 
https://issues.jboss.org/browse/RF-13098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12797214#comment-12797214
 ] 

Brian Leathem commented on RF-13098:
------------------------------------

I discussed the consequences of whitelisting 
org.jboss.weld.bean.proxy.util.SerializableClientProxy with [~pmuir] on IRC, 
where he pointed out:
{quote}
[CDI] won't deserialize *arbitrary* classes, only classes that are beans 
because the SerializableClientProxy can only look up a bean in CDI so the class 
must be a CDI bean
{quote}

Bean classes that that are allowable for deserialisation by CDI are classes 
that exist in a jar with a beans.xml marker.  This excludes classes from 
arbitrary 3rd party libraries (unless they in turn have a beans.xml marker file 
present).

We will further investigate if we can discover the proxied class for the 
serialized bean data, but in the mean time adding the SerializableClientProxy 
class to the resource-serialization.properties should be considered a viable 
workaround.  Just be sure to make sure you don't have any vulnerable classes in 
your CDI-enabled jars.
                
> Regression: mediaOutput broken for CDI MediaData beans
> ------------------------------------------------------
>
>                 Key: RF-13098
>                 URL: https://issues.jboss.org/browse/RF-13098
>             Project: RichFaces
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: component-a4j-core
>    Affects Versions: 4.3.3
>            Reporter: Marek Schmidt
>            Assignee: Brian Leathem
>              Labels: regression
>             Fix For: 4.3.4
>
>   Original Estimate: 1 hour
>  Remaining Estimate: 1 hour
>
> https://issues.jboss.org/browse/RF-13089 introduced a regression for 
> a4j:mediaOutput component
> Having a 
> {code}
> <a4j:mediaOutput element="img" cacheable="true" session="true" 
> createContent="#{mediaBean.paint}" value="#{mediaData}" 
> mimeType="image/jpeg"/>
> {code}
> with mediaData being a CDI bean, e.g.
> {code}
> @javax.inject.Named("mediaData")
> @javax.enterprise.context.RequestScoped
> public class MediaData implements Serializable
> {code}
> the following exception occurs:
> {code}10:39:27,997 SEVERE [org.richfaces.log.Resource] 
> (http-/127.0.0.1:8080-1) Input error for deserialize data : 
> java.io.InvalidClassException: Unauthorized deserialization attempt; 
> org.jboss.weld.bean.proxy.util.SerializableClientProxy
>         at 
> org.richfaces.util.LookAheadObjectInputStream.resolveClass(LookAheadObjectInputStream.java:93)
>  [richfaces-core-impl-4.3.3.Final.jar:4.3.3.Final]
>         at 
> java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1610) 
> [rt.jar:1.7.0_25]
>         at 
> java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1515) 
> [rt.jar:1.7.0_25]
>         at 
> java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1769) 
> [rt.jar:1.7.0_25]
>         at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348) 
> [rt.jar:1.7.0_25]
>         at 
> java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1989) 
> [rt.jar:1.7.0_25]
>         at 
> java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1913) 
> [rt.jar:1.7.0_25]
>         at 
> java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1796) 
> [rt.jar:1.7.0_25]
>         at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1348) 
> [rt.jar:1.7.0_25]
>         at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1704) 
> [rt.jar:1.7.0_25]
>         at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1342) 
> [rt.jar:1.7.0_25]
>         at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370) 
> [rt.jar:1.7.0_25]
>         at org.richfaces.util.Util.decodeObjectData(Util.java:237) 
> [richfaces-core-impl-4.3.3.Final.jar:4.3.3.Final]
>         at 
> org.richfaces.resource.DefaultCodecResourceRequestData.getData(DefaultCodecResourceRequestData.java:97)
>  [richfaces-core-impl-4.3.3.Final.jar:4.3.3.Final]
>         at 
> org.richfaces.resource.ResourceFactoryImpl.createResource(ResourceFactoryImpl.java:337)
>  [richfaces-core-impl-4.3.3.Final.jar:4.3.3.Final]
>         at 
> org.richfaces.resource.ResourceHandlerImpl.handleResourceRequest(ResourceHandlerImpl.java:156)
>  [richfaces-core-impl-4.3.3.Final.jar:4.3.3.Final]
>         at javax.faces.webapp.FacesServlet.service(FacesServlet.java:591) 
> [jboss-jsf-api_2.1_spec-2.1.19.1.Final-redhat-1.jar:2.1.19.1.Final-redhat-1]
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
>  [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
>  [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at 
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
>  [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at 
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
>  [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at 
> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
>  [jboss-as-web-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
>         at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) 
> [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) 
> [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
>  [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) 
> [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at 
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) 
> [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at 
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
>  [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at 
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) 
> [jbossweb-7.2.0.Final-redhat-1.jar:7.2.0.Final-redhat-1]
>         at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]
> {code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
richfaces-issues mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/richfaces-issues

Reply via email to