所以基本上,JSF 试图渲染一个指向ajax4jsf
CSS 文件的链接,其中包含 "Xx< XaXaXXaXaX>xX
作为它的一部分。这当然会立即引发一个异常。
关键是这怎么回事:
org/"Xx< XaXaXXaXaX>xX/renderkit/html/css/basic_classes.xcss
什么时候应该是这个
org/richfaces/renderkit/html/css/basic_classes.xcss
。有没有可能我们有某种 XSS 攻击导致我们出现这种情况?"Xx< XaXaXXaXaX>xX
在进入系统时似乎是一个非常流行的字符串......
有人如何解决这个问题?
编辑
在richfaces-ui jar 里面我找到了这个文件:richfaces-ui-3.3.1.GA\META-INF\resources-config.xml
这有这个资源:
< name >org/richfaces/renderkit/html/css/basic_classes.xcss< /name >
< path >org/richfaces/renderkit/html/css/basic_classes.xcss< /path >
但似乎不知何故它没有得到正确,因为我后来得到了这个错误:
2013-09-25 19:48:02,297 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/].[Faces Servlet]] (http-10.60.67.140-8443-6) Servlet.service() for servlet Faces Servlet threw exception
org.ajax4jsf.resource.ResourceNotFoundException: Resource not registered : org/"Xx<XaXaXXaXaX>xX/renderkit/html/css/basic_classes.xcss
at org.ajax4jsf.resource.ResourceBuilderImpl.getResource(ResourceBuilderImpl.java:406)
at org.ajax4jsf.resource.ResourceBuilderImpl.getResourceForKey(ResourceBuilderImpl.java:350)
at org.ajax4jsf.resource.InternetResourceService.serviceResource(InternetResourceService.java:152)
at org.ajax4jsf.resource.InternetResourceService.serviceResource(InternetResourceService.java:141)
at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:488)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:905)
at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:592)
at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:2036)
at java.lang.Thread.run(Unknown Source)
顺便说一句,这只发生在生产中。我读过 JSF 1.2 容易受到 XSS 攻击,所以在看到“Xx< XaXaXXaXaX>xX
是这里的问题”之后,这意味着可以以某种方式注入......