[
https://issues.apache.org/jira/browse/MYFACES-3538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13638528#comment-13638528
]
Leonardo Uribe commented on MYFACES-3538:
-----------------------------------------
The spec specifies in a explicit way the override of service() method. In JSF
2.2 it was added the following clarification (see FacesServlet javadoc):
"... Allowable HTTP Methods
The JSF specification only requires the use of the GET and POST http methods.
If your web application does not require any other http methods, such as PUT
and DELETE, please consider restricting the allowable http methods using the
<http-method> and <http-method-omission> elements. Please see the Security of
the Java Servlet Specification for more information the use of these elements.
..."
I understand the justification for the change proposed, but we cannot change
that part in that way without break the spec.
Instead, the idea could be introduce a myfaces specific web config parameter to
restrict the valid methods. In Mojarra case there is a param called
com.sun.faces.allowedHttpMethods , maybe we can do something similar.
> Boguous implementation of the HTTP OPTIONS method
> -------------------------------------------------
>
> Key: MYFACES-3538
> URL: https://issues.apache.org/jira/browse/MYFACES-3538
> Project: MyFaces Core
> Issue Type: Bug
> Components: JSR-314
> Affects Versions: 2.1.7
> Reporter: Mark Struberg
> Attachments: JIRA-MYFACES-3538.patch
>
>
> My colleague Christoph Ledl found the following issue in MyFaces:
> ----
> Wrong implementation of the OPTIONS method
> FacesServlet does not handle OPTIONS (and possilby other methods) correctly.
> It looks like these request are processed like a GET, which is wrong.
> the implementation of FacesServlet.service() does not deal with methods.
> one cheap fix would be to send 405 (SC_METHOD_NOT_ALLOWED) for all
> unsupported methods like TRACE and OPTIONS.
> another approach would to extend HttpServlet (instead of implementing Servlet)
> and implement only required methods like GET and POST (this would leave the
> other methods to the default implementation)
> citeation of HttpServlet java doc:
> There's almost no reason to override the "service" method.
> Likewise, there's almost no reason to override the "doOptions" and "doTrace"
> methods.
> ---
> This materializes in the following Exception:
> Feb 28 17:48:13 j04 [http-8080-exec-14] ERROR log.LogFilter j04 0
> 43396625FA6E47DF1C03B12B60BF request done OPTIONS
> /events/ical.xhtml?locale=de&token=488d-1-b7da-f29fcf074 time=749.16ms
> cpu=610ms ex=IllegalStateException msg=null
> UA=Microsoft-WebDAV-MiniRedir/6.1.7601
> Feb 28 17:48:13 j04 [http-8080-exec-14] INFO log.LogFilter params:
> token=48b0368d-b7da-f2974 locale=de
> Feb 28 17:48:13 j04 [http-8080-exec-14] ERROR [/events].[Faces Servlet]
> Servlet.service() for servlet Faces Servlet threw exception
> Feb 28 17:48:13 j04 java.lang.IllegalStateException
> Feb 28 17:48:13 j04 at
> org.apache.catalina.connector.ResponseFacade.sendRedirect(ResponseFacade.java:435)
> Feb 28 17:48:13 j04 at
> org.apache.myfaces.context.servlet.ServletExternalContextImpl.redirect(ServletExternalContextImpl.java:465)
> Feb 28 17:48:13 j04 at
> org.apache.myfaces.extensions.cdi.jsf.impl.scope.conversation.DefaultWindowHandler.sendRedirect(DefaultWindowHandler.java:104)
> Feb 28 17:48:13 j04 at
> sun.reflect.GeneratedMethodAccessor1600.invoke(Unknown Source)
> Feb 28 17:48:13 j04 at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> Feb 28 17:48:13 j04 at java.lang.reflect.Method.invoke(Method.java:597)
> Feb 28 17:48:13 j04 at
> org.apache.webbeans.intercept.InterceptorHandler.invoke(InterceptorHandler.java:329)
> Feb 28 17:48:13 j04 at
> org.apache.webbeans.intercept.NormalScopedBeanInterceptorHandler.invoke(NormalScopedBeanInterceptorHandler.java:122)
> Most times this method gets used by mobile browsers in smartphones.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
