our customer doesn't want to have session handling with cookies and it also will cause problems with an Apache/mod_rewrite gateway, so i tried to use
<tracking-mode>URL</tracking-mode>
in our web.xml. That should be all with Glassfish3/Servlet 3.0. However now i get ViewExpiredExceptions when trying to log in(it's not an AJAX request):
<p:commandButton id="submit"
value="${msg['Login.submit.label']}"
action="#{loginBean.login}"
ajax="false"/>
I also tried to save the session on the client side, than i can see the JSESSIONID in the URL but that throws NotSerializableExceptions for my #EJBs. Any ideas? Do i miss something? It used to work fine with the cookies.
UPDATE: LoginBean.login returns "Home.xhtml?faces-redirect=true", expected behaviour when clicking the commandButton: POST on Login.xhtml, my login page, redirect and GET on Home.xhtml.
SECOND UPDATE:
Looks like my action never gets called, i'm directly getting the ViewExpiredException and a HTTP 500 error code.
THIRD UPDATE:
Looks like the HttpSession is always null with tracking mode set to URL, with cookies the HttpSession is correctly created. Shouldn't the FacesServlet create a session and append the JSESSIONID in the URL if there is no session?
ANOTHER UPDATE:
With
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
the session will be created on postback. But than i'm running into
java.io.NotSerializableException
.
The other option is to set restore view compability to true.
Edit your web.xml and add following code and try.
<context-param>
<param-name>com.sun.faces.enableRestoreView11Compatibility</param-name>
<param-value>true</param-value>
</context-param>
Updated:
Reference
com.sun.faces.enableRestoreView11Compatibility is a JSF 1.2 setting that tells JSF 1.2 to behave like JSF 1.1.
com.sun.faces.enableRestoreView11Compatibility == true means "do not throw a ViewExpiredException; instead, just create a new view if the old one has expired."
The IBM notes on the JSF 1.1 behaviour say:
This can have adverse behaviors because it is a new view, and items that are usually in the view, such as state, are no longer be there.
The default JSF 1.2 behaviour is defined in the spec as this:
If the request is a postback, call ViewHandler.restoreView(), passing the FacesContext instance for the current request and the view identifier, and returning a UIViewRoot for the restored view. If the return from ViewHandler.restoreView() is null, throw a ViewExpiredException with an appropriate error message. javax.faces.application.ViewExpiredException is a FacesException` that must be thrown to signal to the application that the expected view was not returned for the view identifier. An application may choose to perform some action based on this exception.
To have a ViewExpiredException thrown when the view expires, remove the com.sun.faces.enableRestoreView11Compatibility parameter or set it to false.
The com.sun namespace suggests that the parameter is a Sun/Mojarra and derived implementation-specific setting, so it probably will not work with all JSF implementations.
Fixed by updating Mojarra. My Glassfish 3.1.2.2 came with Mojarra 2.1.6 and this bug:
https://java.net/jira/browse/JAVASERVERFACES-2143
Updated to 2.1.22 and everything works.
Related
I am trying to invoke a method annotated with #PreDestroy in a #ViewScoped bean when the user leaves the page associated with that bean in a rather large JSF powered web application.
After reading https://stackoverflow.com/a/15391453/5467214 and several other questions and answers on SO as well as https://showcase.omnifaces.org/cdi/ViewScoped, I came to the understanding that the OmniFaces ViewScoped annotation provides exactly that behavior by utilizing the unload page event as well as sendBeacon on modern browsers.
So I used the #ViewScoped annotation from OmniFaces in my bean:
import javax.annotation.PreDestroy;
import org.omnifaces.cdi.ViewScoped;
#Named("DesktopForm")
#ViewScoped
public class DesktopForm implements Serializable {
...
}
and annotated the method I want to invoke with the PreDestroy annotation:
#PreDestroy
public void close() {
System.out.println("Destroying view scoped desktop bean");
...
}
Unfortunately, this "close" method is not called when I click some link or leave the page
by entering an entirely new URL. Instead, the network analysis of my browser (a current Firefox) shows me that a POST request is send when leaving the page that returns with an 403 http error code:
As you can see in the screenshot, the "Initiator" of the POST request seems to be an unload.js.jsf script with a beacon mentioned in parentheses, which I assume is part of the OmniFaces library. So presumably the functionality described in the OmniFaces ViewScoped documentation is somehow triggered, but does not result in the expected behavior for me.
The browser still navigates to the new page, but the PreDestroy annotated method was not triggered. When I switch to the standard version of ViewScoped (javax.faces.view.ViewScoped instead of org.omnifaces.cdi.ViewScoped), naturally the method still does not get invoked, but there is also no POST method resulting in a 403 error status when leaving the page in the network analysis of my browser (because the standard ViewScoped annotation of Java does not try to invoke any bean side action on unload events, I guess)
I am using MyFaces 2.3.10 in combination with OmniFaces 2.7.18 (and PrimeFaces 8.0.5, I don't know if that is relevant), Spring Security 5.7.3 and Java 11.
Since "403" is the http status for "forbidden", could this have something to do with using "http" instead of "https" in my local development environment? Does this "send beacon" only work with secure connections?
Any help appreciated!
Edit: I also consulted the official documentation of the OmniFaces ViewScoped annotation under https://omnifaces.org/docs/javadoc/2.7/index.html?org/omnifaces/cdi/ViewScoped.html but could not find a reason for the problem I encounter.
With the help of BalusC's comment to my question above, I was able to solve my problem.
What it came down to was that unload events were not processed correctly by our filter chain. Specifically, they were denied access in the doFilter method of our class extending org.springframework.web.filter.GenericFilterBean.
Therefore I added
if (ViewScopeManager.isUnloadRequest(httpServletRequest)) {
chain.doFilter(request, response);
}
to the doFilter method of the mentioned class and then it worked.
On a side note, I had to update my OmniFaces library from 2.7.18 to 3.13.3, because the ViewScopeManager class of OmniFaces 2 only has one isUnloadRequest method that accepts an FacesContext as parameter, which I did not have available in the our GenericFilterBean extension. OmniFaces 3.1 on the other hand provides another method with the same name that works with an HttpServletRequest instance instead, which I had access to and therefore resolved the issue
My app is using Tomee 7.0.5, Java 8, MySql, JSF 2.2, Omnifaces 2.7. Primefaces 6.1, Prettyfaces 3.3.3. I tried to use Omnifaces' ViewScoped annotation together with #Named in my backing bean. It is required to use OWASP to validate requests. For some unknown reason a click on a link is converted to a POST request and since this link is used to navigate to another page there is no token yet in the request and so the validate request fails. Now, if I use javax.faces.view.ViewScoped instead everything is fine. I have 12 applications with the same pattern.
Each app has a template with a p:toolbar and links to navigate like:
<h:link outcome="pretty:search" value="Search"
onclick="showSpinningIcon();return true;" />
No errors in Chrome console. what am I missing here?
I am having issues with the Omnifaces FullAjaxExceptionHandler (http://showcase.omnifaces.org/exceptionhandlers/FullAjaxExceptionHandler). It does not redirect to the specified error page after the session is invalidated.
I have the following in my faces-config:
<factory>
<exception-handler-factory>org.omnifaces.exceptionhandler.FullAjaxExceptionHandlerFactory</exception-handler-factory>
</factory>
And the following in my web.xml:
<error-page>
<exception-type>javax.faces.application.ViewExpiredException</exception-type>
<location>/pages/error/viewExpired.html</location>
</error-page>
After I invalidate the session, from a user's perspective nothing seems to happen. The application is just 'dead'. In my console I see the following Ajax request:
A POST to the original facelet page with a response code of 302
a GET to the login page with a code 200 (but nothing happens because it's requested via Ajax)
I am running MyFaces 2.1.10, Primefaces 3.5, Primefaces Extension 0.6.3 & Omnifaces 1.4.1 on WebLogic 12c
Could anyone help me in the right direction? How do I get the FullAjaxExeptionHandler to work properly?
Thanks
A POST to the original facelet page with a response code of 302
This is not right. A redirect on a JSF ajax request must have a response code of 200 with a special XML response with a <redirect> element with target URL in its url attribute.
This thus indicates that you manually used HttpServletResponse#sendRedirect() somewhere long before JSF has the chance to deal with ViewExpiredException.
Perhaps you've somewhere a servlet filter which checks some session attribute and sends a redirect based on its presence/state? That filter should then be manipulated based on the following answer: JSF Filter not redirecting After Initial Redirect in order to recognize JSF ajax requests and return a special XML response instead of a 302 response.
E.g.
if ("partial/ajax".equals(request.getHeader("Faces-Request"))) {
response.setContentType("text/xml");
response.getWriter()
.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>")
.printf("<partial-response><redirect url=\"%s\"></redirect></partial-response>", loginURL);
} else {
response.sendRedirect(loginURL);
}
This all is completely unrelated to the FullAjaxExceptionHandler. JSF didn't have any chance to throw a ViewExpiredException because you're already sending a redirect yourself beforehand.
I have strange problem on my simple form in JSF 2.0. In this form, I use two selects, if the first select is chosen, the second should be reload with new options. I use the same mechanism as on Primefaces demo page : Primefaces demo page. My bean is #ViewScoped. I also run my app on jetty-maven plugin by "mvn jetty:run". No problem so far. My form works well.
The problem occurs when I change something while my server is running, jetty is reloading. And after that these two selects don't work - if I choose option on the firts one, second one isnt responding. I have to clear all session by logout in Spring Security and after that my form come back to work.
When i changed my bean to #SessionScoped, problem disappeared.
Is this working proper? I dont want to have my form on session scoped, I prefer ViewScoped.
Try to check your context is postback like this on postConstruct in your bean.
#PostConstruct
public void init() {
if (!FacesContext.getCurrentInstance().isPostback()) {
//Write your code here...
}
Or try close to partial state saving on your web.xml if jsf version is 2.0, but with this method, your application may need more memory allocation
<context-param>
<param-name>javax.faces.PARTIAL_STATE_SAVING</param-name>
<param-value>false</param-value>
</context-param>
Good Luck!
We have an application which uses JSF2 and Spring. The application works fine when deployed. But this happens if I went through the following steps:
Open the login page of the application.
Redeployed the application on the server.
Tried to login using the previously opened login page, and it shows the following exception:
javax.servlet.ServletException: null source
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:321)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
root cause
java.lang.IllegalArgumentException: null source
at java.util.EventObject.<init>(EventObject.java:38)
at javax.faces.event.SystemEvent.<init>(SystemEvent.java:67)
at javax.faces.event.ComponentSystemEvent.<init>(ComponentSystemEvent.java:69)
at javax.faces.event.PostRestoreStateEvent.<init>(PostRestoreStateEvent.java:69)
at com.sun.faces.lifecycle.RestoreViewPhase.deliverPostRestoreStateEvent(RestoreViewPhase.java:256)
at com.sun.faces.lifecycle.RestoreViewPhase.execute(RestoreViewPhase.java:245)
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:97)
at com.sun.faces.lifecycle.RestoreViewPhase.doPhase(RestoreViewPhase.java:107)
at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:114)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:308)
If I click on the first login page and then enter the login details the application does not break. This only occurs if I try to use the previously loaded login page with the newly deployed application.
Anyone knows the answer?
This one should have been thrown as a ViewExpiredException. It's a bug which started to manifest in Mojarra 2.0.3 and is been fixed in Mojarra 2.1.0. See also issue 1762 (note that Mojarra 2.1.0 doesn't work on Tomcat/Jetty, use at least Mojarra 2.1.1 then).
Basically, when Mojarra fails to build or restore the view, then it usually throws a specific enough exception, but due to this bug, a valid view was incorrectly been expected later in the code which in turn results in IllegalArgumentException: null source. The possible real cause would have been that the view contains a simple XML syntax error, such as a missing tag or broken attribute value, for which Mojarra would usually have thrown a FaceletException with a very detailed message with line number and position and such.
To prevent the ViewExpiredException, you would have to refresh the page by a GET request before doing any actions on it. If you're using a Mojarra version where this bug does not manifest (e.g. 2.0.2 or older, or 2.1.0 or newer), then you could gracefully handle it with an <error-page> in web.xml on the particular exception and provide a custom error page wherein the enduser is informed that the session has been expired, along with a link to the initial request URI.
This looks like http://java.net/jira/browse/JAVASERVERFACES-1758
which is not fixed in Mojarra 2.1.x
As long as javax.faces.PARTIAL_STATE_SAVING is set to false you'll receive that java.lang.IllegalArgumentException. If you set javax.faces.PARTIAL_STATE_SAVING to true (and you know what you are doing) you will get the "good old" javax.faces.application.ViewExpiredException back.
In my case turned out i had missing end tag in xhtml file for one of the jstl calls. i was using choose tag and one of the when tags in between choose did not have an end tag