[JAVASERVERFACES_SPEC_PUBLIC-1112] Security bug with FacesContext in application startup Created: 01/Jun/12  Updated: 13/Aug/14

Status: Open
Project: javaserverfaces-spec-public
Component/s: Configuration/Bootstrapping, Security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major
Reporter: ssilvert Assignee: Unassigned
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


Regarding the FacesContext that is available during application initialization, we need some language in the spec about how it is cleaned up. Otherwise, it can leak into the initialization thread of another application and allow one WAR to see the context of another WAR.

Also, we need some language saying that FacesContext.getCurrentInstance() should always return null except when:
A) We are in the context of a servlet request, or
B) We are receiving a PostConstructApplicationEvent

See http://java.net/jira/browse/JAVASERVERFACES-2436 for full details and an application that recreates the issues.

Comment by Ed Burns [ 01/Aug/14 ]

Set priority to baseline ahead of JSF 2.3 triage. Priorities will be assigned accurately after this exercise.

Generated at Mon May 30 00:03:06 UTC 2016 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.