Login.xhtml 提交会引发内容安全策略 javax.facse.FacesException:缺少 CSP 随机数

问题描述 投票:0回答:3

环境:

  • 野蝇22
  • JSF 2.3
  • Java 11
  • 带有 CSP 的 Primefaces 10

在 web.xml 上激活的内容安全策略引发 javax.faces.FacesException:缺少 CSP 随机数 登录网页加载良好,但当我提交表单时,我收到 Missing CSP nonce

不知道该怎么办

错误日志

23:10:09,168 SEVERE [javax.enterprise.resource.webcontainer.jsf.application] (default task-8) Error Rendering View[/login.xhtml]: javax.faces.FacesException: Missing CSP nonce
    at deployment.app.war//org.primefaces.csp.CspState.validate(CspState.java:76)
    at deployment.app.war//org.primefaces.csp.CspState.getNonce(CspState.java:58)
    at deployment.app.war//org.primefaces.csp.CspResponseWriter.listenOnEndAttribute(CspResponseWriter.java:185)
    at deployment.app.war//org.primefaces.csp.CspResponseWriter.write(CspResponseWriter.java:167)
    at java.base/java.io.Writer.write(Writer.java:290)
    at java.base/java.io.Writer.write(Writer.java:249)
    at deployment.app.war//org.primefaces.renderkit.HeadRenderer.encodeSettingScripts(HeadRenderer.java:203)
    at deployment.app.war//org.primefaces.renderkit.HeadRenderer.encodeBegin(HeadRenderer.java:137)
    at [email protected]//javax.faces.component.UIComponentBase.encodeBegin(UIComponentBase.java:540)
    at [email protected]//javax.faces.component.UIComponent.encodeAll(UIComponent.java:1644)
    at [email protected]//javax.faces.component.UIComponent.encodeAll(UIComponent.java:1650)
    at [email protected]//com.sun.faces.application.view.FaceletViewHandlingStrategy.renderView(FaceletViewHandlingStrategy.java:468)
    at [email protected]//com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:170)
    at [email protected]//javax.faces.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:132)
    at [email protected]//javax.faces.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:132)
    at [email protected]//com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:102)
    at [email protected]//com.sun.faces.lifecycle.Phase.doPhase(Phase.java:76)
    at [email protected]//com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:199)
    at [email protected]//javax.faces.webapp.FacesServlet.executeLifecyle(FacesServlet.java:708)
    at [email protected]//javax.faces.webapp.FacesServlet.service(FacesServlet.java:451)
    at [email protected]//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
    at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
    at [email protected]//io.undertow.websockets.jsr.JsrWebSocketFilter.doFilter(JsrWebSocketFilter.java:173)
    at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at io.opentracing.contrib.opentracing-jaxrs2//io.opentracing.contrib.jaxrs2.server.SpanFinishingFilter.doFilter(SpanFinishingFilter.java:52)
    at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at [email protected]//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
    at [email protected]//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
    at [email protected]//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
    at [email protected]//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
    at [email protected]//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
    at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at [email protected]//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
    at [email protected]//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117)
    at [email protected]//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
    at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at [email protected]//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
    at [email protected]//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
    at [email protected]//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
    at [email protected]//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
    at [email protected]//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
    at [email protected]//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
    at [email protected]//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
    at [email protected]//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
    at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at [email protected]//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
    at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at [email protected]//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
    at [email protected]//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
    at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
    at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
    at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
    at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
    at [email protected]//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
    at [email protected]//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
    at [email protected]//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
    at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
    at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
    at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
    at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
    at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
    at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
    at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
    at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
    at [email protected]//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
    at [email protected]//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:841)
    at [email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
    at [email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
    at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
    at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
    at [email protected]//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
    at java.base/java.lang.Thread.run(Thread.java:834)

23:10:09,169 ERROR [io.undertow.request] (default task-8) UT005023: Exception handling request to /app/login.xhtml: javax.servlet.ServletException: Missing CSP nonce
    ...
Caused by: javax.faces.FacesException: Missing CSP nonce
    ... 56 more

web.xml

...
<context-param>
    <param-name>primefaces.CSP</param-name>
    <param-value>true</param-value>
</context-param>
...

登录.xhtml

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:h="http://xmlns.jcp.org/jsf/html"
      lang="#{localeBean.language}">

<h:head>
    <meta charset="utf-8"/>
    <meta name="viewport" content="width=device-width, initial-scale=1"/>
    <meta name="description" content=""/>
    <meta name="author" content="Mark Otto, Jacob Thornton, and Bootstrap contributors"/>
    <meta name="generator" content="Hugo 0.83.1"/>
    <title><h:outputText value="#{msgs.appcode}"/></title>

    <!-- Bootstrap core CSS -->
    <h:outputStylesheet library="assets" name="css/bootstrap.min.css"/>

    <!-- Custom styles for this template -->
    <h:outputStylesheet library="assets" name="css/signin.css"/>
</h:head>
<h:body class="text-center">
    <main class="form-signin">
        <h:form id="frmLogin">
            <h:graphicImage library="assets" name="img/logo.png" styleClass="mb-4" width="75"/>

            <div class="form-floating">
                <h:inputText id="j_username" name="j_username" class="form-control"
                             value="#{loginBean.username}" autocomplete="off"/>
                <h:outputLabel for="j_username" value="#{msgs.username}"/>
            </div>
            <div class="form-floating">
                <h:inputSecret id="j_password" name="j_password" class="form-control" value="#{loginBean.password}"
                               autocomplete="off"/>
                <h:outputLabel for="j_password" value="#{msgs.password}"/>
            </div>
            <h:commandButton value="#{msgs.login}" class="w-100 btn btn-lg btn-primary"/>
        </h:form>
    </main>
</h:body>
</html>
jsf primefaces content-security-policy
3个回答
2
投票

如果您的页面确实是 j_securityCheck 意义上的登录页面,我不会使用 h:form。我使用像这样的标准表单集和瞬态 

f:view
,因此它不会创建 JSF 视图状态。

我在所有 PrimeFaces 应用程序中使用 CSP,并且效果成功。

<f:view transient="true">
    <form method="post" action="j_security_check" name="loginForm" id="loginForm" style="margin-top: 20px; width: 400px" enctype="application/x-www-form-urlencoded" accept-charset="UTF-8">
        <p:panel id="pnlLogin">
            <p:focus for="j_username" />
            <p:panelGrid columns="2" cellpadding="5">
                <h:outputLabel for="j_username" value="#{webmsg['label.username']}" />
                <h:inputText value="" id="j_username" name="j_username" autocomplete="off" required="true" tabindex="1"
                            styleClass="ui-inputfield ui-widget ui-state-default ui-corner-all" />
                <h:outputLabel for="j_password" value="#{webmsg['label.password']}" />
                <h:inputSecret id="j_password" tabindex="2" name="j_password" autocomplete="off" required="true"
                            styleClass="ui-inputfield ui-password ui-widget ui-state-default ui-corner-all" />
                <h:commandButton type="submit" value="#{webmsg['label.login']}" tabindex="3"
                            styleClass="ui-button ui-widget ui-state-default ui-corner-all ui-button-text-only login-button"
                            style="width: 60px;" />
            </p:panelGrid>
        </p:panel>
    </form>
</f:view>
0
投票

我通过使用 primefaces 组件更改 h:inputText 和 h:outputLabel 来使此表单与 CSP 兼容。

        <h:form>
        <h:graphicImage library="assets" name="img/logo.png" styleClass="mb-4" width="75"/>
        <div class="form-floating">
            <p:inputText id="j_username" name="j_username"
                         value="#{loginBean.username}" class="form-control"
                         autocomplete="off"/>
            <p:outputLabel for="j_username" value="#{msgs.username}"/>
        </div>
        <div class="form-floating">
            <p:inputText id="j_password" name="j_password" type="password"
                         value="#{loginBean.password}"
                         autocomplete="off" class="form-control"
                         converter="charArrayConverter"/>
            <p:outputLabel for="j_password" value="#{msgs.password}"/>
            <p:commandButton id="btnButton" value="#{msgs.login}" action="#{loginBean.login()}" class="w-100 btn btn-lg btn-primary"/>
        </div>
    </h:form>
0
投票

我也遇到了同样的问题,和你一样,一切看起来都很好。

我找不到根本原因,但我可以使用此来源(效果很好)作为示例来解决我的问题。

https://github.com/primefaces/primefaces/issues/5641

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.