You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by ta...@apache.org on 2018/01/29 19:30:41 UTC
svn commit: r1822567 - in
/myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces:
application/ application/viewstate/ application/viewstate/token/ renderkit/
renderkit/html/
Author: tandraschko
Date: Mon Jan 29 19:30:40 2018
New Revision: 1822567
URL: http://svn.apache.org/viewvc?rev=1822567&view=rev
Log:
MYFACES-4133 - Don't deserialize the ViewState-ID if the state saving method is server
Added:
myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/token/
myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/token/ClientSideStateTokenProcessor.java
myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/token/ServiceSideStateTokenProcessor.java
myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/token/StateTokenProcessor.java
- copied, changed from r1822554, myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/renderkit/StateTokenProcessor.java
Removed:
myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/CounterKeyFactory.java
myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/CounterSessionViewStorageFactory.java
myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/renderkit/StateTokenProcessor.java
Modified:
myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/StateCache.java
myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/ClientSideStateCacheImpl.java
myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/ServerSideStateCacheImpl.java
myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/renderkit/html/HtmlResponseStateManager.java
Modified: myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/StateCache.java
URL: http://svn.apache.org/viewvc/myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/StateCache.java?rev=1822567&r1=1822566&r2=1822567&view=diff
==============================================================================
--- myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/StateCache.java (original)
+++ myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/StateCache.java Mon Jan 29 19:30:40 2018
@@ -19,6 +19,7 @@
package org.apache.myfaces.application;
import javax.faces.context.FacesContext;
+import org.apache.myfaces.application.viewstate.token.StateTokenProcessor;
import org.apache.myfaces.buildtools.maven2.plugin.builder.annotation.JSFWebConfigParam;
/**
@@ -124,4 +125,7 @@ public abstract class StateCache<K, V>
* @return
*/
public abstract String createCryptographicallyStrongTokenFromSession(FacesContext context);
+
+
+ public abstract StateTokenProcessor getStateTokenProcessor(FacesContext context);
}
Modified: myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/ClientSideStateCacheImpl.java
URL: http://svn.apache.org/viewvc/myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/ClientSideStateCacheImpl.java?rev=1822567&r1=1822566&r2=1822567&view=diff
==============================================================================
--- myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/ClientSideStateCacheImpl.java (original)
+++ myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/ClientSideStateCacheImpl.java Mon Jan 29 19:30:40 2018
@@ -22,6 +22,8 @@ import javax.faces.context.ExternalConte
import javax.faces.context.FacesContext;
import org.apache.myfaces.application.StateCache;
+import org.apache.myfaces.application.viewstate.token.ClientSideStateTokenProcessor;
+import org.apache.myfaces.application.viewstate.token.StateTokenProcessor;
import org.apache.myfaces.buildtools.maven2.plugin.builder.annotation.JSFWebConfigParam;
import org.apache.myfaces.shared.util.WebConfigParamUtils;
@@ -47,6 +49,7 @@ class ClientSideStateCacheImpl extends S
private Long _clientViewStateTimeout;
private CsrfSessionTokenFactory csrfSessionTokenFactory;
+ private StateTokenProcessor stateTokenProcessor;
public ClientSideStateCacheImpl()
{
@@ -63,6 +66,8 @@ class ClientSideStateCacheImpl extends S
{
csrfSessionTokenFactory = new RandomCsrfSessionTokenFactory(facesContext);
}
+
+ stateTokenProcessor = new ClientSideStateTokenProcessor();
}
@Override
@@ -196,4 +201,10 @@ class ClientSideStateCacheImpl extends S
{
return csrfSessionTokenFactory.createCryptographicallyStrongTokenFromSession(context);
}
+
+ @Override
+ public StateTokenProcessor getStateTokenProcessor(FacesContext context)
+ {
+ return stateTokenProcessor;
+ }
}
Modified: myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/ServerSideStateCacheImpl.java
URL: http://svn.apache.org/viewvc/myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/ServerSideStateCacheImpl.java?rev=1822567&r1=1822566&r2=1822567&view=diff
==============================================================================
--- myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/ServerSideStateCacheImpl.java (original)
+++ myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/ServerSideStateCacheImpl.java Mon Jan 29 19:30:40 2018
@@ -41,6 +41,8 @@ import javax.faces.context.FacesContext;
import javax.faces.lifecycle.ClientWindow;
import org.apache.myfaces.application.StateCache;
+import org.apache.myfaces.application.viewstate.token.ServiceSideStateTokenProcessor;
+import org.apache.myfaces.application.viewstate.token.StateTokenProcessor;
import org.apache.myfaces.buildtools.maven2.plugin.builder.annotation.JSFWebConfigParam;
import org.apache.myfaces.shared.config.MyfacesConfig;
import org.apache.myfaces.shared.renderkit.RendererUtils;
@@ -131,8 +133,8 @@ class ServerSideStateCacheImpl extends S
/**
* Adds a random key to the generated view state session token.
*/
- @JSFWebConfigParam(since="2.1.9, 2.0.15", expectedValues="secureRandom, random, none",
- defaultValue="none", group="state")
+ @JSFWebConfigParam(since="2.1.9, 2.0.15", expectedValues="secureRandom, random",
+ defaultValue="random", group="state")
public static final String RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_PARAM
= "org.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN";
public static final String RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_PARAM_DEFAULT =
@@ -180,8 +182,8 @@ class ServerSideStateCacheImpl extends S
private boolean _numberOfSequentialViewsInSessionSet = false;
private SessionViewStorageFactory sessionViewStorageFactory;
-
private CsrfSessionTokenFactory csrfSessionTokenFactory;
+ private StateTokenProcessor stateTokenProcessor;
public ServerSideStateCacheImpl()
{
@@ -201,7 +203,13 @@ class ServerSideStateCacheImpl extends S
}
else
{
- sessionViewStorageFactory = new CounterSessionViewStorageFactory(new CounterKeyFactory());
+ if (randomMode != null && !randomMode.isEmpty()) {
+ log.warning(RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN_PARAM + " \""
+ + randomMode + "\" is not supported (anymore)."
+ + " Fallback to \"random\"");
+ }
+ sessionViewStorageFactory = new RandomSessionViewStorageFactory(
+ new RandomKeyFactory(facesContext));
}
String csrfRandomMode = WebConfigParamUtils.getStringInitParameter(facesContext.getExternalContext(),
@@ -215,6 +223,8 @@ class ServerSideStateCacheImpl extends S
{
csrfSessionTokenFactory = new RandomCsrfSessionTokenFactory(facesContext);
}
+
+ stateTokenProcessor = new ServiceSideStateTokenProcessor();
}
//------------------------------------- METHODS COPIED FROM JspStateManagerImpl--------------------------------
@@ -581,17 +591,7 @@ class ServerSideStateCacheImpl extends S
}
}
}
- catch (PrivilegedActionException e)
- {
- log.log(Level.SEVERE, "Exiting deserializeView - Could not deserialize state: " + e.getMessage(), e);
- return null;
- }
- catch (IOException e)
- {
- log.log(Level.SEVERE, "Exiting deserializeView - Could not deserialize state: " + e.getMessage(), e);
- return null;
- }
- catch (ClassNotFoundException e)
+ catch (PrivilegedActionException | IOException | ClassNotFoundException e)
{
log.log(Level.SEVERE, "Exiting deserializeView - Could not deserialize state: " + e.getMessage(), e);
return null;
@@ -705,4 +705,10 @@ class ServerSideStateCacheImpl extends S
{
return csrfSessionTokenFactory.createCryptographicallyStrongTokenFromSession(context);
}
+
+ @Override
+ public StateTokenProcessor getStateTokenProcessor(FacesContext context)
+ {
+ return stateTokenProcessor;
+ }
}
Added: myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/token/ClientSideStateTokenProcessor.java
URL: http://svn.apache.org/viewvc/myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/token/ClientSideStateTokenProcessor.java?rev=1822567&view=auto
==============================================================================
--- myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/token/ClientSideStateTokenProcessor.java (added)
+++ myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/token/ClientSideStateTokenProcessor.java Mon Jan 29 19:30:40 2018
@@ -0,0 +1,53 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.myfaces.application.viewstate.token;
+
+import javax.faces.context.FacesContext;
+import org.apache.myfaces.shared.util.StateUtils;
+
+/**
+ *
+ * @author Thomas Andraschko
+ */
+public class ClientSideStateTokenProcessor extends StateTokenProcessor
+{
+ @Override
+ public Object decode(FacesContext facesContext, String token)
+ {
+ if (STATELESS_TOKEN.equals(token))
+ {
+ // Should not happen, because ResponseStateManager.isStateless(context,viewId) should
+ // catch it first
+ return null;
+ }
+ Object savedStateObject = StateUtils.reconstruct((String)token, facesContext.getExternalContext());
+ return savedStateObject;
+ }
+
+ @Override
+ public String encode(FacesContext facesContext, Object savedStateObject)
+ {
+ if (facesContext.getViewRoot().isTransient())
+ {
+ return STATELESS_TOKEN;
+ }
+ String serializedState = StateUtils.construct(savedStateObject, facesContext.getExternalContext());
+ return serializedState;
+ }
+}
Added: myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/token/ServiceSideStateTokenProcessor.java
URL: http://svn.apache.org/viewvc/myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/token/ServiceSideStateTokenProcessor.java?rev=1822567&view=auto
==============================================================================
--- myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/token/ServiceSideStateTokenProcessor.java (added)
+++ myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/token/ServiceSideStateTokenProcessor.java Mon Jan 29 19:30:40 2018
@@ -0,0 +1,80 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.myfaces.application.viewstate.token;
+
+import java.io.UnsupportedEncodingException;
+import javax.faces.FacesException;
+import javax.faces.context.FacesContext;
+import org.apache.myfaces.shared.util.StateUtils;
+
+/**
+ *
+ * @author Thomas Andraschko
+ */
+public class ServiceSideStateTokenProcessor extends StateTokenProcessor
+{
+ @Override
+ public Object decode(FacesContext facesContext, String token)
+ {
+ if (STATELESS_TOKEN.equals(token))
+ {
+ // Should not happen, because ResponseStateManager.isStateless(context,viewId) should
+ // catch it first
+ return null;
+ }
+
+ try
+ {
+ byte[] tokenBytes = token.getBytes(StateUtils.ZIP_CHARSET);
+ byte[] tokenBytesDecoded = StateUtils.decode(tokenBytes);
+ String tokenDecoded = new String(tokenBytesDecoded, StateUtils.ZIP_CHARSET);
+
+ return tokenDecoded;
+ }
+ catch (UnsupportedEncodingException e)
+ {
+ throw new FacesException(e);
+ }
+
+ }
+
+ @Override
+ public String encode(FacesContext facesContext, Object savedStateObject)
+ {
+ if (facesContext.getViewRoot().isTransient())
+ {
+ return STATELESS_TOKEN;
+ }
+
+ try
+ {
+ // string from #encodeSerializedState
+ String token = (String) savedStateObject;
+ byte[] tokenBytes = token.getBytes(StateUtils.ZIP_CHARSET);
+ byte[] tokenBytesEncoded = StateUtils.encode(tokenBytes);
+ String tokenEncoded = new String(tokenBytesEncoded, StateUtils.ZIP_CHARSET);
+
+ return tokenEncoded;
+ }
+ catch (UnsupportedEncodingException e)
+ {
+ throw new FacesException(e);
+ }
+ }
+}
Copied: myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/token/StateTokenProcessor.java (from r1822554, myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/renderkit/StateTokenProcessor.java)
URL: http://svn.apache.org/viewvc/myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/token/StateTokenProcessor.java?p2=myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/token/StateTokenProcessor.java&p1=myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/renderkit/StateTokenProcessor.java&r1=1822554&r2=1822567&rev=1822567&view=diff
==============================================================================
--- myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/renderkit/StateTokenProcessor.java (original)
+++ myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/application/viewstate/token/StateTokenProcessor.java Mon Jan 29 19:30:40 2018
@@ -16,7 +16,7 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.apache.myfaces.renderkit;
+package org.apache.myfaces.application.viewstate.token;
import javax.faces.context.FacesContext;
@@ -26,9 +26,14 @@ import javax.faces.context.FacesContext;
*/
public abstract class StateTokenProcessor
{
+ public static final String STATELESS_TOKEN = "stateless";
+
public abstract Object decode(FacesContext facesContext, String token);
public abstract String encode(FacesContext facesContext, Object savedStateObject);
- public abstract boolean isStateless(FacesContext facesContext, String token);
+ public boolean isStateless(FacesContext facesContext, String token)
+ {
+ return STATELESS_TOKEN.equals(token);
+ }
}
Modified: myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/renderkit/html/HtmlResponseStateManager.java
URL: http://svn.apache.org/viewvc/myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/renderkit/html/HtmlResponseStateManager.java?rev=1822567&r1=1822566&r2=1822567&view=diff
==============================================================================
--- myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/renderkit/html/HtmlResponseStateManager.java (original)
+++ myfaces/core/branches/2.3.x/impl/src/main/java/org/apache/myfaces/renderkit/html/HtmlResponseStateManager.java Mon Jan 29 19:30:40 2018
@@ -32,10 +32,8 @@ import javax.faces.render.ResponseStateM
import org.apache.myfaces.application.StateCache;
import org.apache.myfaces.buildtools.maven2.plugin.builder.annotation.JSFWebConfigParam;
import org.apache.myfaces.renderkit.MyfacesResponseStateManager;
-import org.apache.myfaces.renderkit.StateTokenProcessor;
import org.apache.myfaces.shared.config.MyfacesConfig;
import org.apache.myfaces.shared.renderkit.html.HTML;
-import org.apache.myfaces.shared.util.StateUtils;
import org.apache.myfaces.shared.util.WebConfigParamUtils;
import org.apache.myfaces.spi.StateCacheProvider;
import org.apache.myfaces.spi.StateCacheProviderFactory;
@@ -65,13 +63,10 @@ public class HtmlResponseStateManager ex
private StateCacheProvider _stateCacheFactory;
- private StateTokenProcessor _stateTokenProcessor;
-
private Boolean _autoCompleteOffViewState;
public HtmlResponseStateManager()
{
- _stateTokenProcessor = new DefaultStateTokenProcessor();
_autoCompleteOffViewState = null;
}
@@ -124,7 +119,8 @@ public class HtmlResponseStateManager ex
private void writeViewStateField(FacesContext facesContext, ResponseWriter responseWriter, Object savedState)
throws IOException
{
- String serializedState = _stateTokenProcessor.encode(facesContext, savedState);
+ String serializedState = getStateCache(facesContext).getStateTokenProcessor(facesContext)
+ .encode(facesContext, savedState);
ExternalContext extContext = facesContext.getExternalContext();
MyfacesConfig myfacesConfig = MyfacesConfig.getCurrentInstance(extContext);
@@ -191,7 +187,8 @@ public class HtmlResponseStateManager ex
return null;
}
- Object savedStateObject = _stateTokenProcessor.decode(facesContext, (String)encodedState);
+ Object savedStateObject = getStateCache(facesContext).getStateTokenProcessor(facesContext)
+ .decode(facesContext, (String)encodedState);
return savedStateObject;
}
@@ -225,7 +222,7 @@ public class HtmlResponseStateManager ex
Object state = getStateCache(facesContext).saveSerializedView(facesContext, baseState);
- return _stateTokenProcessor.encode(facesContext, state);
+ return getStateCache(facesContext).getStateTokenProcessor(facesContext).encode(facesContext, state);
}
@Override
@@ -240,7 +237,7 @@ public class HtmlResponseStateManager ex
return false;
}
- return _stateTokenProcessor.isStateless(context, encodedState);
+ return getStateCache(context).getStateTokenProcessor(context).isStateless(context, encodedState);
}
else
{
@@ -339,41 +336,6 @@ public class HtmlResponseStateManager ex
return id;
}
- private static class DefaultStateTokenProcessor extends StateTokenProcessor
- {
- private static final String STATELESS_TOKEN = "stateless";
-
- @Override
- public Object decode(FacesContext facesContext, String token)
- {
- if (STATELESS_TOKEN.equals(token))
- {
- // Should not happen, because ResponseStateManager.isStateless(context,viewId) should
- // catch it first
- return null;
- }
- Object savedStateObject = StateUtils.reconstruct((String)token, facesContext.getExternalContext());
- return savedStateObject;
- }
-
- @Override
- public String encode(FacesContext facesContext, Object savedStateObject)
- {
- if (facesContext.getViewRoot().isTransient())
- {
- return STATELESS_TOKEN;
- }
- String serializedState = StateUtils.construct(savedStateObject, facesContext.getExternalContext());
- return serializedState;
- }
-
- @Override
- public boolean isStateless(FacesContext facesContext, String token)
- {
- return STATELESS_TOKEN.equals(token);
- }
- }
-
private boolean isAutocompleteOffViewState(FacesContext facesContext)
{
if (_autoCompleteOffViewState == null)