Uploaded image for project: 'RichFaces'
  1. RichFaces
  2. RF-14011

a4j:mediaoutput does not work on wildfly 8.2 , uploaded Image is broken

    Details

    • Steps to Reproduce:
      Hide

      1) upload the Image using rich:fileupload
      2) Once its gets uploaded try to render the uploaded image with the a4j:mediaoutput tag

      Show
      1) upload the Image using rich:fileupload 2) Once its gets uploaded try to render the uploaded image with the a4j:mediaoutput tag
    • Affects:
      User Experience
    • Estimated Difficulty:
      High

      Description

      Getting below exception at the time of rendering the uploaded image.
      4:23:28,434 SEVERE [org.richfaces.log.Resource] (default task-21) Input error for deserialize data : java.io.InvalidClassException: Unauthorized deserialization attempt; org.jboss.el.MethodExpressionImpl
      at org.richfaces.util.LookAheadObjectInputStream.resolveClass(LookAheadObjectInputStream.java:100) [richfaces-core-4.5.3.Final.jar:4.5.3.Final]
      at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1612) [rt.jar:1.7.0_75]
      at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1517) [rt.jar:1.7.0_75]
      at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1771) [rt.jar:1.7.0_75]
      at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1350) [rt.jar:1.7.0_75]

      I have debugged the code and also searched the others JIRA issues and found that ,org.jboss.el.MethodExpressionImpl needs to added in the whitelist.

      It is failing at below code snippet of LookAheadObjectInputStream.java
      /**

      • Only deserialize primitive or whitelisted classes
        */
        @Override
        protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException
        Unknown macro: { Class<?> primitiveType = PRIMITIVE_TYPES.get(desc.getName()); if (primitiveType != null) { return primitiveType; } if (!isClassValid(desc.getName())) { throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName()); } return super.resolveClass(desc); }

      boolean isClassValid(String requestedClassName) {
      if (whitelistClassNameCache.contains(requestedClassName))

      { return true; }

      try {
      Class<?> requestedClass = Class.forName(requestedClassName); // Error from this line
      for (Class baseClass : whitelistBaseClasses ) {
      if (baseClass.isAssignableFrom(requestedClass))

      { whitelistClassNameCache.add(requestedClassName); return true; }

      }
      } catch (ClassNotFoundException e)

      { return false; }

      return false;
      }

      When it checks for the org.jboss.el.MethodExpressionImpl , it could not find it in whitelistClassNameCache and then it fails at below line
      Class<?> requestedClass = Class.forName(requestedClassName);

      Can you please check

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                michpetrov Michal Petrov
                Reporter:
                abhiraj25 Abhiraj Suryawanshi
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: