打开新选项卡时使用受JSF保护的视图时出错 [英] Error using JSF protected views when opening a new tab
问题描述
我已经设置了Web应用程序,以通过在faces-config,protected-views中列出各个页面来防御CSRF。
I've set up my web application to protect against CSRF by listing individual pages in faces-config, protected-views.
这在本地运行时效果很好,但是部署到服务器后,打开页面链接时最终出现以下错误:
This works well when running locally, but after deploying to the server I eventually get these errors when opening a page link:
javax.faces.application.ProtectedViewException: JSF1099: Referer [sic] header value http://[redacted]/finance/commitmentregister/search.xhtml?javax.faces.Token=1534344211116 does not appear to be a protected view. Preventing display of viewId /finance/commitmentregister/view.xhtml
at com.sun.faces.lifecycle.RestoreViewPhase.maybeTakeProtectedViewAction(Unknown Source)
at com.sun.faces.lifecycle.RestoreViewPhase.execute(Unknown Source)
at com.sun.faces.lifecycle.Phase.doPhase(Unknown Source)
at com.sun.faces.lifecycle.RestoreViewPhase.doPhase(Unknown Source)
at com.sun.faces.lifecycle.LifecycleImpl.execute(Unknown Source)
我们正在本地运行Apache Tomcat 7测试服务器。
We are running Apache Tomcat 7 locally and on the test server.
编辑:
我注意到链接上生成的网址看起来像这样:
I've noticed that the url generated on the link looks like this:
http: //.../page.xhtml?token=123&p=4
其中令牌是CSRF javax.faces.Token,p是一个
Where token is the CSRF javax.faces.Token and p is a url parameter sent.
错误消息显示带有令牌但不带p的url。就像它期望带有令牌的URL是faces-config中列出的受保护页面URL。
The error message shows the url with the token but without p. Like it's expecting the url with the token to be the protected page url listed in the faces-config.
也就是说,faces-config具有:
That is, faces-config has:
<protected-views>
<url-pattern>/page.xhtml</url-pattern>
</protected-views>
但是它期望page.xhtml?token = 123
But it is expecting page.xhtml?token=123
进一步编辑:
我们只是注意到只有在新标签页中打开页面时才会发生此错误。与使用target = _ blank属性生成的链接。将网址复制到剪贴板中并将其粘贴到新的选项卡地址栏中,即可正确加载页面。
We just noticed that this error happens only when the page is opened in a new tab. With links generated with a target="_blank" attribute. Copying the url into the clipboard and pasting it in a new tab address bar loads the page correctly.
推荐答案
将其添加到链接中即可解决此问题:
Adding this to the links fixes it:
rel="noopener noreferrer"
这篇关于打开新选项卡时使用受JSF保护的视图时出错的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!