Bug 1026999 - [GSS] (6.1.1 patch) JAVASERVERFACES-2902 - Flash cookie doesn't get proper path for applications on root
[GSS] (6.1.1 patch) JAVASERVERFACES-2902 - Flash cookie doesn't get proper pa...
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: JSF (Show other bugs)
Unspecified Unspecified
medium Severity medium
: ---
: One-off release
Assigned To: Marek Schmidt
Tomas Remes
Russell Dickenson
Depends On:
Blocks: 1027367
  Show dependency treegraph
Reported: 2013-11-05 15:44 EST by ivassile
Modified: 2014-12-10 17:22 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
PATCH NAME: BZ-1026999 PRODUCT NAME: JBoss Enterprise Application Platform (EAP) VERSION: 6.1.1 SHORT DESCRIPTION: Flash cookie doesn't get proper path for applications on root. LONG DESCRIPTION: See JAVASERVERFACES-2902 (https://java.net/jira/browse/JAVASERVERFACES-2902) MANUAL INSTALL INSTRUCTIONS: 1. Unzip BZ-1026999.zip 2. Copy jboss-jsf-api_2.1_spec-2.1.26.Final-redhat-1.jar (located in jboss-jsf-api folder) to $JBOSS_HOME/modules/system/layers/base/javax/faces/api/main 3. Copy module.xml (located in jboss-jsf-api folder) to $JBOSS_HOME/modules/system/layers/base/javax/faces/api/main so that the new JAR is utilized. 4. Copy jsf-impl-2.1.26-redhat-1.jar (located in jsf-impl folder) to $JBOSS_HOME/modules/system/layers/base/com/sun/jsf-impl/main 5. Copy module.xml (located in jsf-impl folder) to $JBOSS_HOME/modules/system/layers/base/com/sun/jsf-impl/main so that the new JAR is utilized. COMPATIBILITY: N/A DEPENDENCIES: N/A SUPERSEDES: N/A SUPERSEDED BY: N/A CREATOR: Ilia Vassilev DATE: November 11, 2013
Story Points: ---
Clone Of:
: 1027367 (view as bug list)
Last Closed: 2013-11-20 12:45:19 EST
Type: Support Patch
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
jsf-api 2.1.26 (626.26 KB, application/x-java-archive)
2013-11-06 04:36 EST, Yong Yang
no flags Details
jsf-impl 2.1.26 (1.94 MB, application/x-java-archive)
2013-11-06 04:38 EST, Yong Yang
no flags Details
jsf-impl-2.1.26-redhat-1.jar (1.94 MB, application/x-java-archive)
2013-11-11 01:32 EST, Yong Yang
no flags Details
jboss-jsf-api_2.1_spec-2.1.26.Final-redhat-1.jar (669.13 KB, application/x-java-archive)
2013-11-11 01:34 EST, Yong Yang
no flags Details
jsf-impl-2.1.26-redhat-1.jar (1.94 MB, application/x-java-archive)
2013-11-11 01:54 EST, Yong Yang
no flags Details
one-off patch (2.39 MB, patch)
2013-11-11 13:03 EST, ivassile
no flags Details | Diff
one-off patch (2.39 MB, application/zip)
2013-11-13 07:41 EST, ivassile
no flags Details

  None (edit)
Comment 1 Yong Yang 2013-11-06 04:36:54 EST
Created attachment 820261 [details]
jsf-api 2.1.26
Comment 2 Yong Yang 2013-11-06 04:38:56 EST
Created attachment 820262 [details]
jsf-impl 2.1.26
Comment 3 Yong Yang 2013-11-11 01:32:03 EST
Created attachment 822295 [details]
Comment 4 Yong Yang 2013-11-11 01:34:25 EST
Created attachment 822296 [details]
Comment 5 Yong Yang 2013-11-11 01:54:40 EST
Created attachment 822302 [details]
Comment 6 ivassile 2013-11-11 13:03:47 EST
Created attachment 822524 [details]
one-off patch
Comment 7 ivassile 2013-11-11 13:05:17 EST
@QA: Please verify the patch.
Comment 8 Tomas Remes 2013-11-12 07:13:03 EST
This is basically mix of two issues, where this issue is superset problem to https://bugzilla.redhat.com/show_bug.cgi?id=1017242. This is issue (Bug 1026999, also https://java.net/jira/browse/JAVASERVERFACES-2136) is not reproducible in EAP 6.1.1 and as I've read (and understood) related customer case, in fact they were asking for fix of https://java.net/jira/browse/JAVASERVERFACES-2902, which is equal to bz1017242.

So this patch should be IMO updated to reflect bz1017242 issue. Next thing is that there should be opened/prepared next patch for EAP 6.2.0, where is still jsf version 2.1.19.
Comment 9 ivassile 2013-11-12 08:56:51 EST
@Tomas: You are right. Since the customer originally requested a fix for https://java.net/jira/browse/JAVASERVERFACES-2136, I incorrectly named this one-off BZ and the patch description. This patch is actually fixing https://java.net/jira/browse/JAVASERVERFACES-2902.

@Marek: How to correct this problem? I can edit this BZ to reflect  https://java.net/jira/browse/JAVASERVERFACES-2902.
What should we do with the other BZ case https://bugzilla.redhat.com/show_bug.cgi?id=1027367?
Comment 11 ivassile 2013-11-13 07:41:53 EST
Created attachment 823392 [details]
one-off patch
Comment 12 ivassile 2013-11-13 07:49:55 EST
@Marek: Corrected the patch description to match https://java.net/jira/browse/JAVASERVERFACES-2902. 

Note: BZ-1027367 [1] is unchanged.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1027367
Comment 13 Tomas Remes 2013-11-13 08:22:32 EST
I would like to ask you at few things in this new jsf-impl-2.1.26-redhat-1.jar. First is that I am seeing following warning, when testing flash scope with redirect:

" SEVERE [javax.enterprise.resource.webcontainer.jsf.flash] (web-executor-threads - 1) JSF1094: Could not decode flash data from incoming cookie value Invalid characters in decrypted value.  Processing will continue, but the flash is unavailable for this request."

As I've debugged it, I explored the problem is fired in ELFlash  class (specifically com.sun.faces.context.flash.ELFlash.PreviousNextFlashInfoManager) in method decode, where is this new code (comparing to 2.1.19):

 try {
                urlDecodedValue = URLDecoder.decode(cookie.getValue(), "UTF-8");
 } catch (UnsupportedEncodingException uee) {
                urlDecodedValue = cookie.getValue();
value = guard.decrypt(urlDecodedValue);

Can you please explain me, what is the use or purpose of this ? Because my theory is following - do something in application -> store the flash values to the cookie (which is properly encrypted and subsequently decrypted by the same key) -> now I restart application and access the application again -> now there's the problem when it tries to decrypt same cookie, but with another key -> resulting in InvalidKeyException and producing this message.

I am not really sure, what this problem may cause in real.
Comment 14 Pavol Pitonak 2013-11-13 09:05:28 EST
RichFaces 4.3.2 (from WFK 2.3) works fine on patched EAP 6.1.1 except of push component which is a known issue (see bug 1001854). RichFaces 4.3.4 (from to-be-released WFK 2.4) works fine.
Comment 15 Tomas Remes 2013-11-14 09:57:17 EST
Shouldn't be this in ON_QA state ?
Comment 16 ivassile 2013-11-14 10:05:51 EST
@Tomas: I've been told to flip the status to Modified when the patch is ready for QA. I think that QA should change it to ON_QA, but I may be wrong.
Comment 17 Tomas Remes 2013-11-14 10:17:31 EST
Hmm it looks like that the process has changed little bit, so you are right.
Comment 18 Tomas Remes 2013-11-14 10:26:56 EST
Ok I don't consider my above comment as some crucial problem, so I verified the patch:

7622d709092b68ad5d7aa20abc0748ab  jsf-impl-2.1.26-redhat-1.jar
3c883e53dda39de48a0bba267f40002e  jboss-jsf-api_2.1_spec-2.1.26.Final-redhat-1.jar
Comment 19 ivassile 2013-11-19 08:18:22 EST
@Tomas: Thanks for verifying the patch. Do you know when the patch will be available on Customer Portal?
Comment 20 Tomas Remes 2013-11-19 08:31:25 EST
@Ilia: Sorry I forgot to promote the patch, so hopefully asap.

Note You need to log in before you can comment on or make changes to this bug.