I just wanted to answer Ed's question below:
Yes, the portlet bridge can use the ViewHandlerWrapper if necessary to fortify the ViewHandler#getActionURL(String) method. Also ExternalContext#encodeActionURL(String) can be fortified as well.
On Jul 21, 2011, at 6:02 PM, Ed Burns wrote:
> NG> #1 is probably not compatible with portlets. Portals are in full
> NG> control of creation of URLs in general, and it is not possible to
> NG> simply append "&javax.faces.Token=XYZ" to a portal's ActionURL and
> NG> expect it to work.
>
> Because we are always doing both, is it reasonable to specify that a
> portlet bridge implementation must take whatever action is necessary to
> remove or massage the token so that things work as expected?