环境:
在 web.xml 上激活的内容安全策略引发 javax.faces.FacesException:缺少 CSP 随机数 登录网页加载良好,但当我提交表单时,我收到 Missing CSP nonce
不知道该怎么办
错误日志
23:10:09,168 SEVERE [javax.enterprise.resource.webcontainer.jsf.application] (default task-8) Error Rendering View[/login.xhtml]: javax.faces.FacesException: Missing CSP nonce
at deployment.app.war//org.primefaces.csp.CspState.validate(CspState.java:76)
at deployment.app.war//org.primefaces.csp.CspState.getNonce(CspState.java:58)
at deployment.app.war//org.primefaces.csp.CspResponseWriter.listenOnEndAttribute(CspResponseWriter.java:185)
at deployment.app.war//org.primefaces.csp.CspResponseWriter.write(CspResponseWriter.java:167)
at java.base/java.io.Writer.write(Writer.java:290)
at java.base/java.io.Writer.write(Writer.java:249)
at deployment.app.war//org.primefaces.renderkit.HeadRenderer.encodeSettingScripts(HeadRenderer.java:203)
at deployment.app.war//org.primefaces.renderkit.HeadRenderer.encodeBegin(HeadRenderer.java:137)
at [email protected]//javax.faces.component.UIComponentBase.encodeBegin(UIComponentBase.java:540)
at [email protected]//javax.faces.component.UIComponent.encodeAll(UIComponent.java:1644)
at [email protected]//javax.faces.component.UIComponent.encodeAll(UIComponent.java:1650)
at [email protected]//com.sun.faces.application.view.FaceletViewHandlingStrategy.renderView(FaceletViewHandlingStrategy.java:468)
at [email protected]//com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:170)
at [email protected]//javax.faces.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:132)
at [email protected]//javax.faces.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:132)
at [email protected]//com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:102)
at [email protected]//com.sun.faces.lifecycle.Phase.doPhase(Phase.java:76)
at [email protected]//com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:199)
at [email protected]//javax.faces.webapp.FacesServlet.executeLifecyle(FacesServlet.java:708)
at [email protected]//javax.faces.webapp.FacesServlet.service(FacesServlet.java:451)
at [email protected]//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at [email protected]//io.undertow.websockets.jsr.JsrWebSocketFilter.doFilter(JsrWebSocketFilter.java:173)
at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.opentracing.contrib.opentracing-jaxrs2//io.opentracing.contrib.jaxrs2.server.SpanFinishingFilter.doFilter(SpanFinishingFilter.java:52)
at [email protected]//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at [email protected]//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at [email protected]//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at [email protected]//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at [email protected]//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at [email protected]//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at [email protected]//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at [email protected]//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
at [email protected]//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117)
at [email protected]//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at [email protected]//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at [email protected]//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at [email protected]//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at [email protected]//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
at [email protected]//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at [email protected]//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at [email protected]//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at [email protected]//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at [email protected]//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at [email protected]//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at [email protected]//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
at [email protected]//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
at [email protected]//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at [email protected]//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at [email protected]//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at [email protected]//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1530)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
at [email protected]//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
at [email protected]//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
at [email protected]//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:841)
at [email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at [email protected]//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
at java.base/java.lang.Thread.run(Thread.java:834)
23:10:09,169 ERROR [io.undertow.request] (default task-8) UT005023: Exception handling request to /app/login.xhtml: javax.servlet.ServletException: Missing CSP nonce
...
Caused by: javax.faces.FacesException: Missing CSP nonce
... 56 more
web.xml
...
<context-param>
<param-name>primefaces.CSP</param-name>
<param-value>true</param-value>
</context-param>
...
登录.xhtml
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:h="http://xmlns.jcp.org/jsf/html"
lang="#{localeBean.language}">
<h:head>
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<meta name="description" content=""/>
<meta name="author" content="Mark Otto, Jacob Thornton, and Bootstrap contributors"/>
<meta name="generator" content="Hugo 0.83.1"/>
<title><h:outputText value="#{msgs.appcode}"/></title>
<!-- Bootstrap core CSS -->
<h:outputStylesheet library="assets" name="css/bootstrap.min.css"/>
<!-- Custom styles for this template -->
<h:outputStylesheet library="assets" name="css/signin.css"/>
</h:head>
<h:body class="text-center">
<main class="form-signin">
<h:form id="frmLogin">
<h:graphicImage library="assets" name="img/logo.png" styleClass="mb-4" width="75"/>
<div class="form-floating">
<h:inputText id="j_username" name="j_username" class="form-control"
value="#{loginBean.username}" autocomplete="off"/>
<h:outputLabel for="j_username" value="#{msgs.username}"/>
</div>
<div class="form-floating">
<h:inputSecret id="j_password" name="j_password" class="form-control" value="#{loginBean.password}"
autocomplete="off"/>
<h:outputLabel for="j_password" value="#{msgs.password}"/>
</div>
<h:commandButton value="#{msgs.login}" class="w-100 btn btn-lg btn-primary"/>
</h:form>
</main>
</h:body>
</html>
如果您的页面确实是 j_securityCheck 意义上的登录页面,我不会使用 h:form。我使用像这样的标准表单集和瞬态
f:view
,因此它不会创建 JSF 视图状态。
我在所有 PrimeFaces 应用程序中使用 CSP,并且效果成功。
<f:view transient="true">
<form method="post" action="j_security_check" name="loginForm" id="loginForm" style="margin-top: 20px; width: 400px" enctype="application/x-www-form-urlencoded" accept-charset="UTF-8">
<p:panel id="pnlLogin">
<p:focus for="j_username" />
<p:panelGrid columns="2" cellpadding="5">
<h:outputLabel for="j_username" value="#{webmsg['label.username']}" />
<h:inputText value="" id="j_username" name="j_username" autocomplete="off" required="true" tabindex="1"
styleClass="ui-inputfield ui-widget ui-state-default ui-corner-all" />
<h:outputLabel for="j_password" value="#{webmsg['label.password']}" />
<h:inputSecret id="j_password" tabindex="2" name="j_password" autocomplete="off" required="true"
styleClass="ui-inputfield ui-password ui-widget ui-state-default ui-corner-all" />
<h:commandButton type="submit" value="#{webmsg['label.login']}" tabindex="3"
styleClass="ui-button ui-widget ui-state-default ui-corner-all ui-button-text-only login-button"
style="width: 60px;" />
</p:panelGrid>
</p:panel>
</form>
</f:view>
我通过使用 primefaces 组件更改 h:inputText 和 h:outputLabel 来使此表单与 CSP 兼容。
<h:form>
<h:graphicImage library="assets" name="img/logo.png" styleClass="mb-4" width="75"/>
<div class="form-floating">
<p:inputText id="j_username" name="j_username"
value="#{loginBean.username}" class="form-control"
autocomplete="off"/>
<p:outputLabel for="j_username" value="#{msgs.username}"/>
</div>
<div class="form-floating">
<p:inputText id="j_password" name="j_password" type="password"
value="#{loginBean.password}"
autocomplete="off" class="form-control"
converter="charArrayConverter"/>
<p:outputLabel for="j_password" value="#{msgs.password}"/>
<p:commandButton id="btnButton" value="#{msgs.login}" action="#{loginBean.login()}" class="w-100 btn btn-lg btn-primary"/>
</div>
</h:form>
我也遇到了同样的问题,和你一样,一切看起来都很好。
我找不到根本原因,但我可以使用此来源(效果很好)作为示例来解决我的问题。