javax.faces.render.ResponseStateManager Maven / Gradle / Ivy
Show all versions of jsf-api Show documentation
/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 1997-2013 Oracle and/or its affiliates. All rights reserved.
*
* The contents of this file are subject to the terms of either the GNU
* General Public License Version 2 only ("GPL") or the Common Development
* and Distribution License("CDDL") (collectively, the "License"). You
* may not use this file except in compliance with the License. You can
* obtain a copy of the License at
* https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
* or packager/legal/LICENSE.txt. See the License for the specific
* language governing permissions and limitations under the License.
*
* When distributing the software, include this License Header Notice in each
* file and include the License file at packager/legal/LICENSE.txt.
*
* GPL Classpath Exception:
* Oracle designates this particular file as subject to the "Classpath"
* exception as provided by Oracle in the GPL Version 2 section of the License
* file that accompanied this code.
*
* Modifications:
* If applicable, add the following below the License Header, with the fields
* enclosed by brackets [] replaced by your own identifying information:
* "Portions Copyright [year] [name of copyright owner]"
*
* Contributor(s):
* If you wish your version of this file to be governed by only the CDDL or
* only the GPL Version 2, indicate your decision by adding "[Contributor]
* elects to include this software in this distribution under the [CDDL or GPL
* Version 2] license." If you don't indicate a single choice of license, a
* recipient has the option to distribute your version of this file under
* either the CDDL, the GPL Version 2 or to extend the choice of license to
* its licensees as provided above. However, if you add GPL Version 2 code
* and therefore, elected the GPL Version 2 license, then the option applies
* only if the new code is made subject to such option by the copyright
* holder.
*/
package javax.faces.render;
import javax.faces.context.FacesContext;
import javax.faces.context.ResponseWriter;
import javax.faces.application.StateManager;
import javax.faces.application.StateManager.SerializedView;
import java.io.IOException;
import java.util.logging.Level;
import java.util.logging.Logger;
/**
*
* ResponseStateManager
* is the helper class to {@link javax.faces.application.StateManager}
* that knows the specific rendering technology being used to generate
* the response. It is a singleton abstract class, vended by the {@link
* RenderKit}. This class knows the mechanics of saving state, whether
* it be in hidden fields, session, or some combination of the two.
*/
public abstract class ResponseStateManager {
private static Logger log = Logger.getLogger("javax.faces.render");
/**
* The name of the request parameter used by the default
* implementation of {@link
* javax.faces.application.ViewHandler#calculateRenderKitId} to
* derive a RenderKit ID.
*/
public static final String RENDER_KIT_ID_PARAM =
"javax.faces.RenderKitId";
/**
* Implementations must use this
* constant field value as the name of the client parameter in which
* to save the state between requests. The id attribute must be a
* concatenation of the return from {@link
* javax.faces.component.UIViewRoot#getContainerClientId}, the
* return from {@link
* javax.faces.component.UINamingContainer#getSeparatorChar}, this
* constant field value, the separator char, and a number that is
* guaranteed to be unique with respect to all the other instances of
* this kind of client parameter in the view.
*
*
* It is strongly recommend that
* implementations guard against cross site scripting attacks by at
* least making the value of this parameter difficult to
* predict.
*
* @since 1.2
*/
public static final String VIEW_STATE_PARAM = "javax.faces.ViewState";
/**
* The name of the hidden field that
* refers to the encoded ClientWindow. This field is only used if
* {@link javax.faces.lifecycle.ClientWindow#CLIENT_WINDOW_MODE_PARAM_NAME}
* is not "none". The id attribute must be a
* concatenation of the return from {@link
* javax.faces.component.UIViewRoot#getContainerClientId}, the
* return from {@link
* javax.faces.component.UINamingContainer#getSeparatorChar}, this
* constant field value, the separator char, and a number that is
* guaranteed to be unique with respect to all the other instances of
* this kind of client parameter in the view. The value of this parameter
* is the return from {@link javax.faces.lifecycle.ClientWindow#getId}.
*
* @since 2.2
*
*/
public static final String CLIENT_WINDOW_PARAM = "javax.faces.ClientWindow";
/**
* The name of the URL query parameter for transmitting
* the client window id. This parameter is only used if
* {@link javax.faces.lifecycle.ClientWindow#CLIENT_WINDOW_MODE_PARAM_NAME}
* is not "none". The name of the parameter is given by the constant value
* of this field. The value of this parameter
* is the return from {@link javax.faces.lifecycle.ClientWindow#getId}.
*
*
* @since 2.2
*/
public static final String CLIENT_WINDOW_URL_PARAM = "jfwid";
/**
* The value of this constant is taken
* to be the name of a request parameter whose value is inspected
* to verify the safety of an incoming non-postback request with respect
* to the currently configured Set of protected views
* for this application.
*
* @since 2.2
*/
public static final String NON_POSTBACK_VIEW_TOKEN_PARAM =
"javax.faces.Token";
/**
* Take the argument
* state and write it into the
* output using the current {@link ResponseWriter}, which must be
* correctly positioned already.
*
* Call {@link FacesContext#getViewRoot()}.
* If {@link javax.faces.component.UIComponent#isTransient()}
* returns {@code true}, take implementation specific action so that the
* following call to {@link #isStateless} returns {@code true} and return.
* Otherwise, proceed as follows.
*
* If the state is to be written out to hidden fields, the
* implementation must take care to make all necessary character
* replacements to make the Strings suitable for inclusion as an
* HTTP request paramater.
*
* If the state saving method for this application is {@link
* javax.faces.application.StateManager#STATE_SAVING_METHOD_CLIENT},
* the implementation must
* encrypt the state to be saved to the
* client in a tamper evident
* manner.
*
* If the state saving method for this application is {@link
* javax.faces.application.StateManager#STATE_SAVING_METHOD_SERVER},
* and the current request is an Ajax request
* {@link javax.faces.context.PartialViewContext#isAjaxRequest} returns
* true), use the current view state identifier if it is
* available (do not generate a new identifier).
*
* Write out the render kit identifier associated with this
* ResponseStateManager implementation with the name
* as the value of the String constant
* ResponseStateManager.RENDER_KIT_ID_PARAM. The
* render kit identifier must not be written if:
*
* - it is the default render kit identifier as returned by
* {@link javax.faces.application.Application#getDefaultRenderKitId()} or
* - the render kit identfier is the value of
*
javax.faces.render.RenderKitFactory.HTML_BASIC_RENDER_KIT and
* {@link javax.faces.application.Application#getDefaultRenderKitId()} returns null.
*
*
*
* For backwards compatability with existing
* ResponseStateManager implementations, the default
* implementation of this method checks if the argument is an
* instance of SerializedView. If so, it calls through
* to {@link
* #writeState(javax.faces.context.FacesContext,javax.faces.application.StateManager.SerializedView)}.
* If not, it expects the state to be a two element Object array. It creates
* an instance of SerializedView and
* stores the state as the treeStructure, and passes it to {@link
* #writeState(javax.faces.context.FacesContext,javax.faces.application.StateManager.SerializedView)}.
*
* The {@link
* javax.faces.lifecycle.ClientWindow} must be written using these
* steps. Call {@link
* javax.faces.context.ExternalContext#getClientWindow}. If the
* result is null, take no further action regarding the
* ClientWindow. If the result is
* non-null, write a hidden field whose name is {@link
* #CLIENT_WINDOW_PARAM} and whose id is
* <VIEW_ROOT_CONTAINER_CLIENT_ID><SEP>javax.faces.ClientWindow<SEP><UNIQUE_PER_VIEW_NUMBER>
* where <SEP> is the currently configured
* UINamingContainer.getSeparatorChar().
* <VIEW_ROOT_CONTAINER_CLIENT_ID> is the return from
* UIViewRoot.getContainerClientId() on the view from
* whence this state originated. <UNIQUE_PER_VIEW_NUMBER> is
* a number that must be unique within this view, but must not be
* included in the view state. The value of the field is implementation
* dependent but must uniquely identify this window within the user's session.
*
*
* @since 1.2
*
* @param context The {@link FacesContext} instance for the current request
* @param state The serialized state information previously saved
* @throws IOException if the state argument is not an array of length 2.
*
*/
public void writeState(FacesContext context,
Object state) throws IOException {
SerializedView view;
if (state instanceof SerializedView) {
view = (SerializedView) state;
}
else {
if (state instanceof Object[]) {
Object[] stateArray = (Object[])state;
if (2 == stateArray.length) {
StateManager stateManager =
context.getApplication().getStateManager();
view = stateManager.new SerializedView(stateArray[0],
stateArray[1]);
} else {
//PENDING - I18N
if (log.isLoggable(Level.SEVERE)) {
log.log(Level.SEVERE, "State is not an expected array of length 2.");
}
throw new IOException("State is not an expected array of length 2.");
}
} else {
//PENDING - I18N
if (log.isLoggable(Level.SEVERE)) {
log.log(Level.SEVERE, "State is not an expected array of length 2.");
}
throw new IOException("State is not an expected array of length 2.");
}
}
writeState(context, view);
}
/**
* Take the argument state and write it into
* the output using the current {@link ResponseWriter}, which
* must be correctly positioned already.
*
* If the {@link
* javax.faces.application.StateManager.SerializedView} is to be
* written out to hidden fields, the implementation must take care
* to make all necessary character replacements to make the Strings
* suitable for inclusion as an HTTP request paramater.
*
* If the state saving method for this application is {@link
* javax.faces.application.StateManager#STATE_SAVING_METHOD_CLIENT},
* the implementation may encrypt the state to be saved to the
* client. We recommend that the state be unreadable by the client,
* and also be tamper evident. The reference implementation follows
* these recommendations.
*
* @deprecated This method has been replaced by {@link
* #writeState(javax.faces.context.FacesContext,java.lang.Object)}.
* The default implementation creates a two element
* Object array with the first element being the return
* from calling {@link SerializedView#getStructure}, and the second
* being the return from {@link SerializedView#getState}. It then
* passes this Object array to {@link #writeState}.
*
* @param context The {@link FacesContext} instance for the current request
* @param state The serialized state information previously saved
*
*/
public void writeState(FacesContext context,
SerializedView state) throws IOException {
if (state != null) {
writeState(context, new Object[]{state.getStructure(),
state.getState()});
}
}
/**
* If the preceding call to {@link #writeState(javax.faces.context.FacesContext, java.lang.Object)}
* was stateless, return {@code true}. If the preceding call to {@code writeState()} was
* stateful, return {@code false}. Otherwise throw {@code IllegalStateException}.
*
*
*
* To preserve backward compatibility
* with custom implementations that may have extended from an earlier
* version of this class, an implementation is provided that returns
* false. A compliant implementation must override this
* method to take the specified action.
*
*
*
* @param context The {@link FacesContext} instance for the current request
* @param viewId View identifier of the view to be restored
* @throws NullPointerException if the argument {@code context} is {@code null}.
* @throws IllegalStateException if this method is invoked and the statefulness
* of the preceding call to {@link #writeState(javax.faces.context.FacesContext, java.lang.Object)}
* cannot be determined.
*
* @since 2.2
*
*
*/
public boolean isStateless(FacesContext context, String viewId) {
return false;
}
/**
* The implementation must
* inspect the current request and return
* an Object representing the tree structure and component state
* passed in to a previous invocation of {@link
* #writeState(javax.faces.context.FacesContext,java.lang.Object)}.
*
* If the state saving method for this
* application is {@link
* javax.faces.application.StateManager#STATE_SAVING_METHOD_CLIENT},
* writeState() will have encrypted the state in a tamper
* evident manner. If the state fails to decrypt, or decrypts but
* indicates evidence of tampering, a
* {@link javax.faces.application.ProtectedViewException} must be thrown.
*
* For backwards compatability with existing
* ResponseStateManager implementations, the default
* implementation of this method calls {@link
* #getTreeStructureToRestore} and {@link
* #getComponentStateToRestore} and creates and returns a two
* element Object array with element zero containing
* the structure property and element one containing
* the state property of the
* SerializedView.
*
* @since 1.2
*
* @param context The {@link FacesContext} instance for the current request
* @param viewId View identifier of the view to be restored
*
* @return the tree structure and component state Object passed in
* to writeState. If this is an initial request, this
* method returns null.
*/
public Object getState(FacesContext context, String viewId) {
Object stateArray[] = { getTreeStructureToRestore(context, viewId),
getComponentStateToRestore(context) };
return stateArray;
}
/**
* The implementation must inspect the current request and return
* the tree structure Object passed to it on a previous invocation of
* writeState().
*
* @deprecated This method has been replaced by {@link #getState}.
* The default implementation returns null.
*
* @param context The {@link FacesContext} instance for the current request
* @param viewId View identifier of the view to be restored
*
*/
public Object getTreeStructureToRestore(FacesContext context,
String viewId) {
return null;
}
/**
* The implementation must inspect the current request and return
* the component state Object passed to it on a previous invocation
* of writeState().
*
* @deprecated This method has been replaced by {@link #getState}.
* The default implementation returns null.
*
* @param context The {@link FacesContext} instance for the current request
*
*/
public Object getComponentStateToRestore(FacesContext context) {
return null;
}
/**
* Return true if the current request is a postback. This method
* is leveraged from the Restore View Phase to determine if
* {@link javax.faces.application.ViewHandler#restoreView} or {@link
* javax.faces.application.ViewHandler#createView} should be called.
* The default implementation must return true if this
* ResponseStateManager instance wrote out state on a
* previous request to which this request is a postback,
* false otherwise.
*
* The implementation of this method for the Standard HTML
* RenderKit must consult the {@link
* javax.faces.context.ExternalContext}'s
* requestParameterMap and return true if
* and only if there is a key equal to the value of the symbolic
* constant {@link #VIEW_STATE_PARAM}.
*
* For backwards compatability with implementations of
* ResponseStateManager prior to JSF 1.2, a default
* implementation is provided that consults the {@link
* javax.faces.context.ExternalContext}'s requestParameterMap and return
* true if its size is greater than 0.
*
* @since 1.2
*/
public boolean isPostback(FacesContext context) {
return (!context.getExternalContext().getRequestParameterMap().isEmpty());
}
/**
*
* Return the specified state as a String without any markup
* related to the rendering technology supported by this ResponseStateManager.
*
*
* @param context the {@link FacesContext} for the current request
* @param state the state from which the String version will be generated
* from
* @return the view state for this request without any markup specifics
*
* @since 2.0
*/
public String getViewState(FacesContext context, Object state) {
return null;
}
/**
* Compliant implementations must return a
* cryptographically strong token for use to protect views in this
* application. For backwards compatability with earlier revisions, a
* default implementation is provided that simply returns null.
*
*
* @param context the {@link FacesContext} for the current request
*
* @return a cryptographically strong value
*
* @since 2.2
*/
public String getCryptographicallyStrongTokenFromSession(FacesContext context) {
return null;
}
}