<部分响应>在WildFly中在安全约束下进行Ajax重定向后,XML以纯文本形式显示 [英] <partial-response> XML shown as plain text after ajax redirect on security constraint in WildFly
问题描述
在安全性约束下,我遇到了Ajax重定向这个奇怪的问题:
I've got this weird problem with ajax redirect on a security constraint:
在我的会话超时后,在角色保护页面上进行ajax调用(通过单击可排序的p:dataTable
列或单击p:poll
触发)时,OmniFaces中的<partial-response><redirect-url=...
XML会显示在屏幕.
When an ajax call is made (by clicking on a sortable p:dataTable
column or when a p:poll
triggers) on a role-secured page after my session timed out, a <partial-response><redirect-url=...
XML from OmniFaces is shown on the screen.
当我删除OmniFaces时,ajax调用似乎无声地失败,并且我没有得到显示的XML.
When I remove OmniFaces, the ajax calls seem to fail silently and I don't get the XML shown.
安全性在web.xml中配置如下:
Security is configured as following in web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Pages</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Resources</web-resource-name>
<url-pattern>/javax.faces.resource/*</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>myRealm</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/login.xhtml?error=true</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
推荐答案
我复制了它.这是WildFly本身的一个奇怪的怪癖/错误.
I reproduced it. This is a strange quirk/bug in WildFly itself.
这是怎么回事?
默认情况下,如果没有OmniFaces,则在会话过期时在受限页面上触发请求时,服务器默认会返回由<form-login-page>
标识的整个HTML页面作为响应,而不管请求的来源.对于JSF ajax请求,这显然失败了,因为负责处理ajax请求的JavaScript不能将整个HTML页面作为响应处理,因为它期望特殊的XML响应.用户没有任何形式的反馈.这是因为OmniFaces 1.2已在其OmniPartialViewContext
中修复,并由以下相关问题触发:
By default, without OmniFaces, when a request is fired on a constrained page while the session is expired, the server by default returns the entire HTML page identified by <form-login-page>
as response, regardless of the source of the request. This obviously fails with JSF ajax requests as the JavaScript responsible for processing ajax requests couldn't deal with a whole HTML page as response where it expected a special XML response. The user is left with no form of feedback. This is since OmniFaces 1.2 fixed in its OmniPartialViewContext
, triggered by this related question: ViewExpiredException not thrown on ajax request if JSF page is protected by j_security_check.
使用OmniFaces,将以<partial-response><redirect url="originalURL">
的形式而不是整个登录页面返回特殊的JSF ajax重定向响应,并且再次触发安全性约束,但这一次是使用真正的同步请求而不是JSF ajax请求.当服务器返回整个<form-login-page>
时,它将以这种方式正常工作.
With OmniFaces, a special JSF ajax redirect response in form of <partial-response><redirect url="originalURL">
is returned instead of the entire login page, and the security constraint is triggered once again, but this time with a real synchronous request instead of an JSF ajax request. When the server returns the entire <form-login-page>
, it would work just fine this way.
WildFly(截至目前仅测试10.0.0)似乎在会话中缓存了第一个安全约束命中的整个<form-login-page>
响应(而预期仅缓存关联的请求)并准确返回对受约束的请求的每次点击都会做出响应.这就是为什么您每次都会看到初始的<partial-response>
XML响应的原因.
WildFly (tested only 10.0.0 as of now), however, appears to cache the entire <form-login-page>
response of the 1st security constraint hit in the session (whereas it is expected to cache only the associated request) and return exactly that response on every hit of a constrained request. That's why you see the initial <partial-response>
XML response every time.
根据此提交,我通过再次明确使会话无效来绕过它在OmniPartialViewContext
中生成ajax重定向之前.该修补程序在OmniFaces 2.3中可用.
As per this commit I have bypassed it by explicitly invalidating the session once again before generating the ajax redirect in OmniPartialViewContext
. The fix is available in OmniFaces 2.3.
这篇关于<部分响应>在WildFly中在安全约束下进行Ajax重定向后,XML以纯文本形式显示的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!