Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Play 2.2.x doc related to CSRF is incorrect #1728

Closed
armsargis opened this issue Sep 23, 2013 · 4 comments
Closed

Play 2.2.x doc related to CSRF is incorrect #1728

armsargis opened this issue Sep 23, 2013 · 4 comments
Milestone
2.2.1

Comments

@armsargis
Copy link

Hi, I am just learning Play and using Scala so I follow docs:http://www.playframework.com/documentation/2.2.x/ScalaCsrf and find out that it does not work, if I add:

object Global extends WithFilters(CSRFFilter()) with GlobalSettings

as described I got

play.api.PlayException: Cannot init the Global object[null]
at play.api.WithDefaultGlobal$$anonfun$play$api$WithDefaultGlobal$$globalInstance$1.apply(Application.scala:55) ~[play_2.10.jar:2.2.0]
at play.api.WithDefaultGlobal$$anonfun$play$api$WithDefaultGlobal$$globalInstance$1.apply(Application.scala:49) ~[play_2.10.jar:2.2.0]
at play.utils.Threads$.withContextClassLoader(Threads.scala:18) ~[play_2.10.jar:2.2.0]
at play.api.WithDefaultGlobal$class.play$api$WithDefaultGlobal$$globalInstance(Application.scala:48) ~[play_2.10.jar:2.2.0]
at play.api.DefaultApplication.play$api$WithDefaultGlobal$$globalInstance$lzycompute(Application.scala:399) ~[play_2.10.jar:2.2.0]
at play.api.DefaultApplication.play$api$WithDefaultGlobal$$globalInstance(Application.scala:399) ~[play_2.10.jar:2.2.0]
Caused by: java.lang.ExceptionInInitializerError: null
at sun.misc.Unsafe.ensureClassInitialized(Native Method) ~[na:1.7.0_40]
at sun.reflect.UnsafeFieldAccessorFactory.newFieldAccessor(UnsafeFieldAccessorFactory.java:43) ~[na:1.7.0_40]
at sun.reflect.ReflectionFactory.newFieldAccessor(ReflectionFactory.java:140) ~[na:1.7.0_40]
at java.lang.reflect.Field.acquireFieldAccessor(Field.java:1057) ~[na:1.7.0_40]
at java.lang.reflect.Field.getFieldAccessor(Field.java:1038) ~[na:1.7.0_40]
at java.lang.reflect.Field.get(Field.java:379) ~[na:1.7.0_40]
Caused by: java.lang.RuntimeException: There is no started application
at scala.sys.package$.error(package.scala:27) ~[scala-library.jar:na]
at play.api.Play$$anonfun$current$1.apply(Play.scala:68) ~[play_2.10.jar:2.2.0]
at play.api.Play$$anonfun$current$1.apply(Play.scala:68) ~[play_2.10.jar:2.2.0]
at scala.Option.getOrElse(Option.scala:120) ~[scala-library.jar:na]
at play.api.Play$.current(Play.scala:68) ~[play_2.10.jar:2.2.0]
at play.filters.csrf.CSRFConf$.c(csrf.scala:10) ~[filters-helpers_2.10.jar:2.2.0]
[warn] play - No application found at invoker init

To fix it I did

  1. In Global:
    override def doFilter(action:EssentialAction) = CSRFFilter().apply(next = action)

  2. in *.scala.html have to add: (implicit token: play.filters.csrf.CSRF.Token) as part of parameters
@jroper
Copy link
Member

jroper commented Sep 23, 2013

This kinda sucks, to make it work nicely, we'll have to make all the constructor arguments to CSRFFilter by name parameters, which will break binary compatibility. Perhaps we could make a constructor with non by name parameters to maintain backwards compatibility... maybe that will work, maybe not. Unfortunately, even though the documentation was extracted out into separate code files, because the Global object in the documentation was instantiated in the context of a running app, it didn't pick up this issue.

@armsargis
Copy link
Author

I did not catch --> ' Global object in the documentation was instantiated in the context of a running app' can you provide code what is the correct way to define Global object. Thanks.

@jroper
Copy link
Member

jroper commented Sep 23, 2013

The workaround you posted is correct, my comment was a note for the next person in the Play team who looks at this. The way we've published it in the docs is the way we want it to be used, so we'll want to fix the CSRFFilter so it does work that way, but unfortunately it's not going to be a straight forward fix.

@armsargis
Copy link
Author

Okay, thanks for response.

@jroper jroper mentioned this issue Sep 24, 2013
Merged
@wsargent wsargent mentioned this issue Sep 27, 2013
Closed
jroper added a commit to jroper/playframework that referenced this issue Oct 1, 2013
@jroper
Fixes for the CSRF filter
8609d12 
* Fixes playframework#1734, custom token generator feature reinstatement
* Fixes playframework#1728, ensured CSRFFilter can be instantiated without a running
  application
* Added a csrf.sign.tokens conifguration option to switch between
  default CSRF token providers, either signed or unsigned.
* Abstracted tests so they can be run on many different permutations of
  configuration
* Added documentation about all the different configuration options

This commit breaks binary compatibility, the CSRFFilter constructor
parameters are now not lazy, and CSRFFilter is no longer a case class,
so many of the methods it used to provide are no longer there.  This was
deemed necessary because the intended use of CSRFFilter, ie:

    object Global extends WithFilters(CSRFFilter()) with GlobalSettings

was not possible with the old constructor.  The constructor is however
still source compatible for most use cases.

Since that constructor is intentionally breaking binary compatibility,
new parameters that were added for custom token generation and
configuration signing were added without consideration for binary
compatibility, only source compatibility.
@jroper jroper closed this as completed in 01a2445 Oct 3, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.2.1
Development

No branches or pull requests
2 participants
@jroper @armsargis