Bug 1026999

Summary: [GSS] (6.1.1 patch) JAVASERVERFACES-2902 - Flash cookie doesn't get proper path for applications on root
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: ivassile
Component: JSFAssignee: Marek Schmidt <maschmid>
Status: CLOSED CURRENTRELEASE QA Contact: Tomas Remes <tremes>
Severity: medium Docs Contact: Russell Dickenson <rdickens>
Priority: medium    
Version: 6.1.1CC: cobrien, ivassile, jawilson, ppitonak, ssilvert, yyang
Target Milestone: ---   
Target Release: One-off release   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
PATCH NAME: BZ-1026999 PRODUCT NAME: JBoss Enterprise Application Platform (EAP) VERSION: 6.1.1 SHORT DESCRIPTION: Flash cookie doesn't get proper path for applications on root. LONG DESCRIPTION: See JAVASERVERFACES-2902 (https://java.net/jira/browse/JAVASERVERFACES-2902) MANUAL INSTALL INSTRUCTIONS: 1. Unzip BZ-1026999.zip 2. Copy jboss-jsf-api_2.1_spec-2.1.26.Final-redhat-1.jar (located in jboss-jsf-api folder) to $JBOSS_HOME/modules/system/layers/base/javax/faces/api/main 3. Copy module.xml (located in jboss-jsf-api folder) to $JBOSS_HOME/modules/system/layers/base/javax/faces/api/main so that the new JAR is utilized. 4. Copy jsf-impl-2.1.26-redhat-1.jar (located in jsf-impl folder) to $JBOSS_HOME/modules/system/layers/base/com/sun/jsf-impl/main 5. Copy module.xml (located in jsf-impl folder) to $JBOSS_HOME/modules/system/layers/base/com/sun/jsf-impl/main so that the new JAR is utilized. COMPATIBILITY: N/A DEPENDENCIES: N/A SUPERSEDES: N/A SUPERSEDED BY: N/A CREATOR: Ilia Vassilev DATE: November 11, 2013
 Story Points: ---
Clone Of:
: 1027367 (view as bug list) Environment:
Last Closed: 2013-11-20 17:45:19 UTC Type: Support Patch
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1027367    
Attachments:
Description Flags
jsf-api 2.1.26
none
jsf-impl 2.1.26
none
jsf-impl-2.1.26-redhat-1.jar
none
jboss-jsf-api_2.1_spec-2.1.26.Final-redhat-1.jar
none
jsf-impl-2.1.26-redhat-1.jar
none
one-off patch
none
one-off patch none

Comment 1 Yong Yang 2013-11-06 09:36:54 UTC 
Created attachment 820261 [details]
jsf-api 2.1.26
Comment 2 Yong Yang 2013-11-06 09:38:56 UTC 
Created attachment 820262 [details]
jsf-impl 2.1.26
Comment 3 Yong Yang 2013-11-11 06:32:03 UTC 
Created attachment 822295 [details]
jsf-impl-2.1.26-redhat-1.jar
Comment 4 Yong Yang 2013-11-11 06:34:25 UTC 
Created attachment 822296 [details]
jboss-jsf-api_2.1_spec-2.1.26.Final-redhat-1.jar
Comment 5 Yong Yang 2013-11-11 06:54:40 UTC 
Created attachment 822302 [details]
jsf-impl-2.1.26-redhat-1.jar
Comment 6 ivassile 2013-11-11 18:03:47 UTC 
Created attachment 822524 [details]
one-off patch
Comment 7 ivassile 2013-11-11 18:05:17 UTC 
@QA: Please verify the patch.
Comment 8 Tomas Remes 2013-11-12 12:13:03 UTC 
This is basically mix of two issues, where this issue is superset problem to https://bugzilla.redhat.com/show_bug.cgi?id=1017242. This is issue (Bug 1026999, also https://java.net/jira/browse/JAVASERVERFACES-2136) is not reproducible in EAP 6.1.1 and as I've read (and understood) related customer case, in fact they were asking for fix of https://java.net/jira/browse/JAVASERVERFACES-2902, which is equal to bz1017242.

So this patch should be IMO updated to reflect bz1017242 issue. Next thing is that there should be opened/prepared next patch for EAP 6.2.0, where is still jsf version 2.1.19.
Comment 9 ivassile 2013-11-12 13:56:51 UTC 
@Tomas: You are right. Since the customer originally requested a fix for https://java.net/jira/browse/JAVASERVERFACES-2136, I incorrectly named this one-off BZ and the patch description. This patch is actually fixing https://java.net/jira/browse/JAVASERVERFACES-2902.

@Marek: How to correct this problem? I can edit this BZ to reflect  https://java.net/jira/browse/JAVASERVERFACES-2902.
What should we do with the other BZ case https://bugzilla.redhat.com/show_bug.cgi?id=1027367?
Comment 11 ivassile 2013-11-13 12:41:53 UTC 
Created attachment 823392 [details]
one-off patch
Comment 12 ivassile 2013-11-13 12:49:55 UTC 
@Marek: Corrected the patch description to match https://java.net/jira/browse/JAVASERVERFACES-2902. 

Note: BZ-1027367 [1] is unchanged.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1027367
Comment 13 Tomas Remes 2013-11-13 13:22:32 UTC 
@Stan
I would like to ask you at few things in this new jsf-impl-2.1.26-redhat-1.jar. First is that I am seeing following warning, when testing flash scope with redirect:

" SEVERE [javax.enterprise.resource.webcontainer.jsf.flash] (web-executor-threads - 1) JSF1094: Could not decode flash data from incoming cookie value Invalid characters in decrypted value.  Processing will continue, but the flash is unavailable for this request."

As I've debugged it, I explored the problem is fired in ELFlash  class (specifically com.sun.faces.context.flash.ELFlash.PreviousNextFlashInfoManager) in method decode, where is this new code (comparing to 2.1.19):

 try {
                urlDecodedValue = URLDecoder.decode(cookie.getValue(), "UTF-8");
 } catch (UnsupportedEncodingException uee) {
                urlDecodedValue = cookie.getValue();
 }
 
value = guard.decrypt(urlDecodedValue);

Can you please explain me, what is the use or purpose of this ? Because my theory is following - do something in application -> store the flash values to the cookie (which is properly encrypted and subsequently decrypted by the same key) -> now I restart application and access the application again -> now there's the problem when it tries to decrypt same cookie, but with another key -> resulting in InvalidKeyException and producing this message.

I am not really sure, what this problem may cause in real.
Comment 14 Pavol Pitonak 2013-11-13 14:05:28 UTC 
RichFaces 4.3.2 (from WFK 2.3) works fine on patched EAP 6.1.1 except of push component which is a known issue (see bug 1001854). RichFaces 4.3.4 (from to-be-released WFK 2.4) works fine.
Comment 15 Tomas Remes 2013-11-14 14:57:17 UTC 
@Ilia
Shouldn't be this in ON_QA state ?
Comment 16 ivassile 2013-11-14 15:05:51 UTC 
@Tomas: I've been told to flip the status to Modified when the patch is ready for QA. I think that QA should change it to ON_QA, but I may be wrong.
Comment 17 Tomas Remes 2013-11-14 15:17:31 UTC 
Hmm it looks like that the process has changed little bit, so you are right.
Comment 18 Tomas Remes 2013-11-14 15:26:56 UTC 
Ok I don't consider my above comment as some crucial problem, so I verified the patch:

7622d709092b68ad5d7aa20abc0748ab  jsf-impl-2.1.26-redhat-1.jar
3c883e53dda39de48a0bba267f40002e  jboss-jsf-api_2.1_spec-2.1.26.Final-redhat-1.jar
Comment 19 ivassile 2013-11-19 13:18:22 UTC 
@Tomas: Thanks for verifying the patch. Do you know when the patch will be available on Customer Portal?
Comment 20 Tomas Remes 2013-11-19 13:31:25 UTC 
@Ilia: Sorry I forgot to promote the patch, so hopefully asap.
Comment 21 Christopher O'Brien 2013-11-20 17:45:19 UTC 
https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=26063&product=appplatform&version=6.1.1&downloadType=patches

per RT 267523
https://engineering.redhat.com/rt/Ticket/Display.html?id=267523