jsfprimefacesshiro

PrimeFaces 13.0 displays "Invalid Request" at beginning of browser session


When we access our application via browser (Chrome Version 116.0.5845.141), upon opening the browser, the first attempt always gets redirected to a screen which displays only the message "Invalid request".

We're running JBoss 7.1 on Windows 10.

This always occurs on the first attempt of each browser session, and a when this occurs, a breakpoint on the first line of the login bean is never hit, and no exception or stack trace appears in JBoss. All subsequent attempts during the same browser session succeed, the login bean breakpoint is hit, and our index.xhtml page opens as expected. I have Googled in vain to even see this issue raised as a question, although it’s occurring for me and for another developer on our team testing our WAR.

Specifics I've tried:

First, I placed a breakpoint on the first line of the Login bean handler. It made sense to assume that line would be hit on every attempt to open our application. What happened instead was on the first attempt of each browser session, the breakpoint was never hit, and the "Invalid request" message appeared right away. On the second, and later tries of the same browser session, the breakpoint was hit every time, and the index.xhtml page opened normally afterwards.

Second, I tried inserting all the recommended error handling lines to web.xml per the PrimeFaces Documentation site, thinking something must have change between PrimeFaces v6.0 and PrimeFaces 13.0. I expected at least one of those additions to change what happened when I opened the browser and attempted to open our page running on my local JBoss. The issue persisted unchanged.

The WAR we built with PrimeFaces 6.0 does not have this issue. This is an issue we are only seeing recently since upgrading from PrimeFaces 6.0 to PrimeFaces 13.0, with only the code changes necessary to reconcile the old parameterized constructors to the new builder() calls.

I have successfully grepped the word "Invalid" in the PrimeFaces 13.0 jars, and traced it to shiro-web-1.12.0.jar. Within that, I have traced the literal "Invalid request" to an InvalidRequestFilter class file. It appears to be generated in an onAccessDenied() event.

From this, I can reasonably surmise that onAccessDenied() event is being triggered the first time in every browser session, when we try to open our app page, and that this event is what's preventing our login bean code from running.

Can anyone recommend a config change to resolve this in web.xml or some other file?


Solution

  • I've found a solution!!

    When I grepped all the jars in my PrimeFaces 13.0 setup, I found the word “Invalid” only in shiro-core-1.12.0 and shiro-web-1.12.0. When I expanded both jars, I found “Invalid request” only in shiro-web-1.12.0.

    This message resides in an InvalidRequestFilter class, which is new to shiro-web-1.12.0.

    The message is generated by an event called “onAccessDenied()”, which is triggered when a call to “isAccessAllowed()” returns false. This page explains the purpose of the InvalidRequestFilter during the login sequence, and provides detailed explanations of the onAccessDenied() event, and the isAccessAllowed() method. Properties of InvalidRequestFilter, enabled by default, can be disabled by adding lines to shiro.ini addressing the invalidRequest object with properties described in this screenshot.

    The InvalidRequestFilter inherits an enabled property from its parent class OncePerRequestFilter class, which can similarly be disabled by adding the following line to shiro.ini. I added this line to our shiro.ini to test the concept.

    invalidRequest.enabled = false
    

    After more testing today, it looks like only the “blockSemicolon” property needs to be set to false, in order to resolve our issue, yet still allowing the invalidRequest object to protect the app against the other three threats, so I’ve updated the WAR with the following change to shiro.ini:

    invalidRequest.enabled = true
    invalidRequest.blockSemicolon = false
    invalidRequest.blockBackslash = true
    invalidRequest.blockNonAscii = true
    invalidRequest.blockTraversal = true
    

    Thank you for all your helpful input!