dev@javaserverfaces.java.net

Seeking Review: JSFRI-211

From: Ed Burns <ed.burns_at_sun.com>
Date: Fri, 23 Dec 2005 11:11:55 -0800

https://javaserverfaces.dev.java.net/issues/show_bug.cgi?id=211

Issue: 211

Add init parameter for client side state password.

SECTION: Impl Changes

M jsf-ri/src/com/sun/faces/RIConstants.java

- new constant

M jsf-ri/src/com/sun/faces/renderkit/ByteArrayGuard.java

- leverage new constant

M jsf-ri/systest-per-webapp/command-link-back-button/web/WEB-INF/web.xml

- make this test run with client side state saving and the password
  set as a way to exercise this new feature.

SECTION: Impl Diffs

Index: jsf-ri/src/com/sun/faces/RIConstants.java
===================================================================
RCS file: /cvs/javaserverfaces-sources/jsf-ri/src/com/sun/faces/RIConstants.java,v
retrieving revision 1.77
diff -u -r1.77 RIConstants.java
--- jsf-ri/src/com/sun/faces/RIConstants.java 26 Aug 2005 15:26:56 -0000 1.77
+++ jsf-ri/src/com/sun/faces/RIConstants.java 23 Dec 2005 18:47:40 -0000
@@ -157,5 +157,7 @@
         
     }
 
+ public static final String CLIENT_STATE_PASSWORD = FACES_PREFIX + "ClientStatePassword";
+
 
 }
Index: jsf-ri/src/com/sun/faces/renderkit/ByteArrayGuard.java
===================================================================
RCS file: /cvs/javaserverfaces-sources/jsf-ri/src/com/sun/faces/renderkit/ByteArrayGuard.java,v
retrieving revision 1.8
diff -u -r1.8 ByteArrayGuard.java
--- jsf-ri/src/com/sun/faces/renderkit/ByteArrayGuard.java 26 Aug 2005 15:27:09 -0000 1.8
+++ jsf-ri/src/com/sun/faces/renderkit/ByteArrayGuard.java 23 Dec 2005 18:47:40 -0000
@@ -29,6 +29,7 @@
 
 package com.sun.faces.renderkit;
 
+import com.sun.faces.RIConstants;
 import java.io.IOException;
 import java.security.Key;
 import java.security.MessageDigest;
@@ -93,6 +94,11 @@
         this.ivLength = ivLength;
         
         // generate random password in memory
+ FacesContext context = FacesContext.getCurrentInstance();
+ assert(null != context); // This ctor should happen lazily on the first
+ // run through the lifecycle. Therefore, we must have a FacesContext
+ passwordFromConfig = context.getExternalContext().
+ getInitParameter(RIConstants.CLIENT_STATE_PASSWORD);
         this.password = getRandomString(DEFAULT_PASSWORD_LENGTH);
     }
     
@@ -211,6 +217,9 @@
      * </ol>
      */
     private String getPasswordToSecureState(FacesContext context) {
+ if (null != passwordFromConfig) {
+ return passwordFromConfig;
+ }
         // default is to use application scoped password
         String statePwd = this.password;
         
@@ -379,5 +388,6 @@
     private final int macLength;
     private final int ivLength;
     private final String password;
+ private final String passwordFromConfig;
     private static SecureRandom prng = null;
 }
Index: jsf-ri/systest-per-webapp/command-link-back-button/web/WEB-INF/web.xml
===================================================================
RCS file: /cvs/javaserverfaces-sources/jsf-ri/systest-per-webapp/command-link-back-button/web/WEB-INF/web.xml,v
retrieving revision 1.3
diff -u -r1.3 web.xml
--- jsf-ri/systest-per-webapp/command-link-back-button/web/WEB-INF/web.xml 22 Aug 2005 22:10:48 -0000 1.3
+++ jsf-ri/systest-per-webapp/command-link-back-button/web/WEB-INF/web.xml 23 Dec 2005 18:47:41 -0000
@@ -49,6 +49,10 @@
         <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
         <param-value>client</param-value>
     </context-param>
+ <context-param>
+ <param-name>com.sun.faces.ClientStatePassword</param-name>
+ <param-value>command-link-back-button</param-value>
+ </context-param>
 
     <!-- Faces Servlet -->
     <servlet>

-- 
| ed.burns_at_sun.com  | {home: 407 869 9587, office: 408 884 9519 OR x31640}
| homepage:         | http://purl.oclc.org/NET/edburns/
| aim: edburns0sunw | iim: ed.burns_at_sun.com