[jsr344-experts mirror] [jsr344-experts] [220-ViewStateParamNameOnly] PROVISIONALLY RESOLVED

From: Edward Burns <edward.burns_at_oracle.com>
Date: Thu, 9 Feb 2012 08:21:39 -0800

>>>>> On Tue, 7 Feb 2012 06:31:29 -0800, Edward Burns <edward.burns_at_oracle.com> said:

>>>>> On Tue, 7 Feb 2012 00:10:01 +0100, Imre O�wald <ioss_at_pmx.jevelopers.com> said:
IO> I just copied the revised proposal for reference, see the previous
IO> post for context.

EB> Now it's starting to look suspiciously like viewState should be
EB> encoded/decoded just like a component. I wonder why we didn't do it
EB> that way eight years ago?

EB> * Change the contract for the Ajax XML response to require that the
EB> <partial-response> element now have an "id" attribute whose value is
EB> the return from UIViewRoot.getContainerClientId()

IO> The problem with this proposal, is that we would have the same id
IO> again for multiple forms on one page.

EB> Quatsch. You're right.

EB> It seems we have two problems here, really.

EB> 1. XML correctness of the ViewState hidden field

EB> 2. Use of the ViewState hidden field in multi-form and portlet
EB> scenarios.

EB> Ted's proposal, currently implemented, solves 2. Here is my addition to
EB> it that does solve 1. I'll reword it in the context of the spec, but
EB> this rendering of the idea is just for email.

EB> Let "ViewState Markup" refer to any markup that renders the ViewState.
EB> Currently there are two ocurrences of this: the hidden field, and the
EB> <update> element in the Ajax XML response with the ViewState.

EB> For any part of the spec that defines the rendering requirements of the
EB> ViewState Markup, make it so the "id" attribute of that markup conforms
EB> to this contract.

EB> UIViewRoot.getContainerClientId() +
EB> UINamingContainer.getSeparatorChar() +
EB> "javax.faces.ViewState" +
EB> UIViewRoot.createUniqueId()

EB> How's that?

Turns out that one of our automated tests caught a flaw in this
reasoning. The use of UIViewRoot.createUniqueId() in obtaining the id
of the ViewState field changes the state of thu UIViewRoot instance, due
to its counter being incremented by the act of calling
createUniqueId(). I have changed the spec and implementation to be
this:

M jsf-api/src/main/java/javax/faces/render/ResponseStateManager.java

- The javadoc for the VIEW_PARAM_NAME field is now:

 /**
 * Implementations must use this
 * constant field value as the name of the client parameter in which
 * to save the state between requests. The <code>id</code> attribute must be a
 * concatenation of the return from {_at_link
 * javax.faces.component.UIViewRoot#getContainerClientId}, the
 * return from {_at_link
 * javax.faces.component.UINamingContainer#getSeparatorChar}, this
 * constant field value, the separator char, and a number that is
 * guaranteed to be unique with respect to all the other instances of
 * this kind of client parameter in the view.
 *
 * 

 * It is strongly recommend that
 * implementations guard against cross site scripting attacks by at
 * least making the value of this parameter difficult to
 * predict.
 *
 * @since 1.2
 */

 public static final String VIEW_STATE_PARAM = "javax.faces.ViewState";

There are several important changes in this issue. Here is the complete
changebundle.

Those that care about this issue are encouraged to read and respond.
I'd really like to call this closed, however.

If you want to view the javadoc online, you may look at the nightly
snapshot. Visit

https://maven.java.net/index.html#nexus-search;gav~javax.faces~javax.faces-api~2.2-SNAPSHOT~~

and use the archive browser to browse to the index.html of the javadoc
jar.

Ed

XHTML Correctness and Portlet Usefulness of ViewState http://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-220

SECTION: Modified Files
----------------------------
M jsf-api/src/main/java/javax/faces/render/ResponseStateManager.java

- The javadoc for the VIEW_PARAM_NAME field is now:

 /**
 * Implementations must use this
 * constant field value as the name of the client parameter in which
 * to save the state between requests. The <code>id</code> attribute must be a
 * concatenation of the return from {_at_link
 * javax.faces.component.UIViewRoot#getContainerClientId}, the
 * return from {_at_link
 * javax.faces.component.UINamingContainer#getSeparatorChar}, this
 * constant field value, the separator char, and a number that is
 * guaranteed to be unique with respect to all the other instances of
 * this kind of client parameter in the view.
 *
 * 

 * It is strongly recommend that
 * implementations guard against cross site scripting attacks by at
 * least making the value of this parameter difficult to
 * predict.
 *
 * @since 1.2
 */

 public static final String VIEW_STATE_PARAM = "javax.faces.ViewState";

M jsf-api/src/main/java/javax/faces/context/PartialResponseWriter.java
A jsf-api/doc/web-partialresponse_2_2.xsd

- Increment version.

- Add this requirement to the spec for the <partial-response> element.

 This element must have an "id" attribute whose value is the return from
 calling getContainerClientId() on the UIViewRoot to which this response
 pertains.

M jsf-api/src/main/java/javax/faces/context/FacesContext.java
M jsf-api/src/main/java/javax/faces/context/FacesContextWrapper.java

- add method:

 /**
 * Return the result of calling {_at_link
 * UINamingContainer#getSeparatorChar}, passing <code>this</code> as
 * the argument. Note that this enables accessing the value of this
 * property from the EL expression
 * <code>#{facesContext.namingContainerSeparatorChar}</code>.
 */

 public char getNamingContainerSeparatorChar() {
 return UINamingContainer.getSeparatorChar(this);
 }

 The necessity for this is evident from the explanation of changes in
 the next file.

M jsf-api/src/main/resources/jsf.js

- Add this field:

 /**
 * The result of calling
 * <code>UINamingContainer.getNamingContainerSeparatorChar().
 */
 jsf.separatorchar = '#{facesContext.namingContainerSeparatorChar}';

 Two reasons account for this surprising occurrence of EL in the jsf.js.

 1. Long ago, someone thought it would be a good idea to have a
 context-param that lets the app developer modify the naming
 container separator character. The EG agreed so we have to support
 it.

 2. in doUpdate(), account for the modified formatting of the ViewState, which
 includes parsing for the separator char.

M jsf-ri/src/main/java/com/sun/faces/context/PartialViewContextImpl.java
M jsf-ri/src/main/java/com/sun/faces/renderkit/StateHelper.java
M jsf-ri/src/main/java/com/sun/faces/renderkit/ClientSideStateHelper.java
M jsf-ri/src/main/java/com/sun/faces/renderkit/ServerSideStateHelper.java

- Adhere to the new spec requirements for the rendering of the id field.

M jsf-ri/src/main/java/com/sun/faces/application/resource/ResourceHelper.java

- Modify resourceSupportsEL() to take the libraryName. Use libraryName
 and resourceName to say that jsf.js supports EL.

M jsf-ri/src/main/java/com/sun/faces/application/resource/WebappResourceHelper.java
M jsf-ri/src/main/java/com/sun/faces/application/resource/ClasspathResourceHelper.j
ava

- Modify callsites for resourceSupportsEL().

M jsf-ri/src/main/java/com/sun/faces/util/Util.java

- public static String getViewStateId(FacesContext context)

M jsf-ri/web/test/TestLifecycleImpl_initial_correct
M jsf-ri/web/test/RenderResponse_correct
M jsf-ri/web/test/TestViewHandlerImpl_correct
M jsf-ri/systest/src/com/sun/faces/systest/jsp/htmltaglib/HtmlTaglibTestCase.java
M jsf-ri/systest/web/regexp/converter06.txt
M jsf-ri/systest/build-tests.xml
M jsf-ri/systest-per-webapp/no-web-xml/src/java/com/sun/faces/systest/NoWebXMLTestCase.java
M jsf-test/JAVASERVERFACES-1655/htmlunit/src/main/java/com/sun/faces/systest/InitialTestCase.java
M lib/jsf-extensions-test-time.jar
M jsf-demo/archive/renderkits/src/script/http-svg.es
M jsf-demo/archive/renderkits/src/script/http-xul.es

- Changes to accomodate new ViewState capabilities.

M jsf-test/build.xml
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_server_state_war
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_server_state_war/src
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_server_state_war/src/main
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_server_state_war/src/main/java
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_server_state_war/src/main/java/com
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_server_state_war/src/main/java/com/sun
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_server_state_war/src/main/java/com/sun/faces
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_server_state_war/src/main/java/com/sun/faces/test
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_server_state_war/src/main/java/com/sun/faces/test/i_spec_220_server_state_war
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_server_state_war/src/main/java/com/sun/faces/test/i_spec_220_server_state_war/UserBean.java
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_server_state_war/src/main/webapp
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_server_state_war/src/main/webapp/main.xhtml
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_server_state_war/src/main/webapp/WEB-INF
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_server_state_war/src/main/webapp/WEB-INF/beans.xml
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_server_state_war/src/main/webapp/WEB-INF/web.xml
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_server_state_war/pom.xml
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_htmlunit
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_htmlunit/src
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_htmlunit/src/main
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_htmlunit/src/main/java
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_htmlunit/src/main/java/com
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_htmlunit/src/main/java/com/sun
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_htmlunit/src/main/java/com/sun/faces
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_htmlunit/src/main/java/com/sun/faces/test
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_htmlunit/src/main/java/com/sun/faces/test/i_spec_220_htmlunit
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_htmlunit/src/main/java/com/sun/faces/test/i_spec_220_htmlunit/IssueSpec220TestCase.java
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_htmlunit/src/main/resources
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_htmlunit/pom.xml
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_client_state_war
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_client_state_war/src
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_client_state_war/src/main
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_client_state_war/src/main/java
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_client_state_war/src/main/java/com
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_client_state_war/src/main/java/com/sun
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_client_state_war/src/main/java/com/sun/faces
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_client_state_war/src/main/java/com/sun/faces/test
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_client_state_war/src/main/java/com/sun/faces/test/i_spec_220_client_state_war
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_client_state_war/src/main/java/com/sun/faces/test/i_spec_220_client_state_war/UserBean.java
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_client_state_war/src/main/webapp
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_client_state_war/src/main/webapp/main.xhtml
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_client_state_war/src/main/webapp/WEB-INF
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_client_state_war/src/main/webapp/WEB-INF/beans.xml
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_client_state_war/src/main/webapp/WEB-INF/web.xml
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/i_spec_220_client_state_war/pom.xml
A jsf-test/JAVASERVERFACES_SPEC_PUBLIC-220/build.xml

- New automated test.

-- 
| edward.burns_at_oracle.com | office: +1 407 458 0017
| homepage:               | http://ridingthecrest.com/