Hello Volunteers,
Neil Griffin brought this issue to my attention [1] and has been ardently
advocating for it to be addressed in 2.3.
When you say required="true" on a UIInput component, the validation
must always take place, even when there is no entry in the request
corresponding to that component.
Background:
Consider this login page:
<h:inputText id="userName" required="true"
value="#{backingBean.userName}" />
<h:inputSecret id="password" required="true"
validator="#{backingBean.validatePassword}"
value="#{backingBean.password}" />
<h:commandButton action="/views/authenticatedUser.xhtml" />
If the postback is hacked such that the userName is present as a request
parameter, but the password is not, the password validator would be
bypassed. If the password validator is used as the entry point to
perform authentication, this could cause problems.
Now, it must be said that using a validator on a password field as the
entry point to perform authentication is a particular design choice.
This design choice runs a bit counter to the stated purpose of the
validation system, which is to ensure syntactic and some level of
semantic validity of fields. There are other ways to perform
authentication that do not rely on the validation system for this
purpose.
Nonetheless, we would like to accomodate this use case.
Proposal:
For JSF 2.3, I propose the following.
Modify PDF section 3.5.4 to read:
Spec> *The render-independent property required is a shorthand for the
Spec> function of a required validator. If the value of this property is
Spec> true, **there is an entry in the request payload corresponding to
Spec> this component**, and the component has no value, the component is
Spec> marked invalid and a message is added to the FacesContext
Spec> instance.*
Modify the JavaDoc for UIInput.validate(). Modify the first bullet
point to read:
Spec> Retrieve the submitted value with getSubmittedValue(). If this
Spec> returns null, and the
Spec> javax.faces.component.UIInput.ALWAYS_PERFORM_VALIDATION_WHEN_REQUIRED_IS_TRUE
Spec> context-parameter is set to true (ignoring case), examine the
Spec> value of the "required" property. If the value of "required" is
Spec> true, continue as below. If the value of "required" is false, the
Spec> "required" attribute is not set not set, exit without further
Spec> processing. If the context-paramater is not set, or is set to
Spec> false (ignoring case) exit without further processing. (This
Spec> indicates that no value was submitted for this component.)
With these changes, the javadoc for UIInput.validateValue() can remain
unchanged.
ACTION: Please let us know your thoughts about this by COB 2016-12-06.
I really hope you all can accept it as is, but I think the chance for EG
discussion is warranted here.
Ed
--
| edward.burns_at_oracle.com | office: +1 407 458 0017
[1] https://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-1433