CODEWITHSUNDEEP
jsf-2wildflyomnifaces
Hedhanterz
Hedhanterz

Reputation: 31

Omnifaces CombinedResourceHandler problem with SHA-384 integrity

We are using the CombinedResourceHandler to combine our CSS and JS files. This works just fine when deploying the Application but after some time (i guess no using the Application) the Browser has a problem to load these files because of the SHA-384 integrity, which was introduced in Omnifaces 3.13.

The application runs on a WildFly in an container environment (Docker) and is accessed by an Apache2 reverse proxy.

The problem shows up on several java/wildfly/omnifaces versions.

Error message:

Failed to find a valid digest in the 'integrity' attribute for resource 'https://{HOST}/javax.faces.resource/eNrLTczMs0ouLtYvKMrPSk0uyU3MS0xPLdItT03SAwrXFBRl5qamJSanFlsl5-cW5Oel5pUUg2QAi20Wng.css.xhtml?ln=omnifaces.combined&v=1714462321656' with computed SHA-384 integrity 'gz+8OSFmG9pvdPUmAQvgZvqlaek3oXVFI+0kni54mrdClZrC0F6buQuaxwmy85qw'. The resource has been blocked.

web.xml:

<!-- enable the web socket endpoint by omifaces -->
<context-param>
    <param-name>org.omnifaces.SOCKET_ENDPOINT_ENABLED</param-name>
    <param-value>true</param-value>
</context-param>
<!-- activate server-side caching of the combined resource content by omnifaces -->
<context-param>
    <param-name>org.omnifaces.COMBINED_RESOURCE_HANDLER_CACHE_TTL</param-name>
    <param-value>86400</param-value> <!-- 86.400sec = 24h -->
</context-param>
<context-param>
    <param-name>org.omnifaces.COMBINED_RESOURCE_HANDLER_DISABLED</param-name>
    <param-value>#{facesContext.application.projectStage eq 'Development'}</param-value>
</context-param>

faces-config.xml:

<?xml version="1.0" encoding="UTF-8"?>
<faces-config xmlns="http://xmlns.jcp.org/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-facesconfig_2_3.xsd"
    version="2.3">

    <application>
        <locale-config>
            <default-locale>de</default-locale>
            <supported-locale>de</supported-locale>
            <supported-locale>en</supported-locale>
        </locale-config>

        <resource-bundle>
            <base-name>messages</base-name>
            <var>msg</var>
        </resource-bundle>
        <message-bundle>messages_jsf</message-bundle>

        <el-resolver>org.primefaces.application.exceptionhandler.PrimeExceptionHandlerELResolver</el-resolver>

        <resource-handler>org.omnifaces.resourcehandler.CombinedResourceHandler</resource-handler>
    </application>

    <factory>
        <exception-handler-factory>org.primefaces.application.exceptionhandler.PrimeExceptionHandlerFactory</exception-handler-factory>
    </factory>
    
    <lifecycle>
        <phase-listener>org.omnifaces.eventlistener.ResetInputAjaxActionListener</phase-listener>
    </lifecycle>

</faces-config>

When the problem appears only a restart of the application/container helps.

Is there a way to solve this issue to keep the integrity valid? Otherwise we must consider not using the CombindedResourceHandler.

Upvotes: 2

Views: 73

Answers (1)

jamesthollowell
jamesthollowell

Reputation: 1712

I've discovered a workaround trying to fix this same problem for our app. If you set a Context Param like

  <context-param>
      <param-name>org.omnifaces.COMBINED_RESOURCE_HANDLER_CROSSORIGIN</param-name>
      <param-value><!--intentionally blank--></param-value>
  </context-param>

in your web.xml, this disables the Integrity generation introduced in 3.13 in commit https://github.com/omnifaces/omnifaces/commit/3a6e14c948aac94723a21e8fde4b1188b3ce670e.

The generated HTML looks like

<link type="text/css" rel="stylesheet" href="/APP_ROOT/javax.faces.resource/longhashnamehere.css?ln=omnifaces.combined&amp;v=1723663698000" crossorigin="" integrity="">

Upvotes: 0

Related Questions