Am using JSF 1.2
I have an image which should be clickable. Below is how I have coded,
<h:commandLink value="" action="#{myBean.myMethod}>
<h:graphicImage value="image-location-in-webserver" />
</h:commandLink>
Am using h:commandLink because on click of this image I have to do some business validations and hence I need to call a method in bean.
My bean is session scoped. I can't go with request scope because of some other problems.
I tried javax.faces.STATE_SAVING_METHOD setting it to client instead of server.
Even then when my page is rendered, image is not getting redered because jsessionid is getting appended to url like below when viewed in web developer.
http:/myDomail/static-files/images/myImage.jpg;jsessionid=77F2A5D24CF1D5C3C4882778BC521263.node1
If jsessionid is not appended, my image gets rendered.
How can I achieve this?
Related
I am trying to implement the Csrf protection for a simple registration application. I have a state changing form registration.jsp which needs to protected with csrf token validation. I have imported spring security 5.2.3 dependencies and also added the hidden input tag in registration.jsp. From the spring csrf documentation it is evident that we should be able to see the token set in header or cookie value.
<form:label path="note">Note:</form:label>
<form:textarea path="note" cols="25" rows="5"/><br/>
<form:button>Register</form:button>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
</form:form>
</div>
The default form method is GET, which does not require a CSRF-token. Setting the form method to POST should add a CSRF-token if it is not disabled as described in the documentation:
You should be able to see the csrf-token in the payload of the POST-request with the key _csrf in the network tab of the Chrome debugger.
It seems to be by design that the hidden input field is not rendered.
Hidden inputs are completely invisible in the rendered page, and there is no way to make it visible in the page's content.
Otherwise, what you have done should be the equivalent of using the csrftag <sec:csrfInput /> from the Spring Security JSP tag library.
I am currently learning JSF and was rather amazed and puzzled when I realized that whenever we use <h:form>, the standard behavior of JSF is to always show me the URL of the previous page in the browser, as opposed to the URL of the current page.
I understand that this has to do with the way JSF always posts a form to the same page and then just renders whatever page the controller gives it back to the browser which doesn't know the page location has changed.
It seems like JSF has been around for long enough that there must be a clean, solid way to deal with this. If so, would you mind sharing?
I have found various workarounds, but sadly nothing that seems like a real solid solution.
Simply accept that the URL is misleading.
Append "?faces-redirect=true" to the return value of every bean's action and then
figure out how to replace #RequestScoped with something else (Flash Scopes, CDI conversation, #SessionScoped, ...).
accept to have two HTTP round trips for every user action.
Use some method (e.g. 3rd party library or custom code) to hide the page name in the URL, always using the same generic URL for every page.
If "?faces-redirect=true" is as good as it gets, is there a way do configure an entire application to treat all requests this way?
Indeed, JSF as being a form based application targeted MVC framework submits the POST form to the very same URL as where the page with the <h:form> is been requested form. You can confirm it by looking at the <form action> URL of the generated HTML output. This is in web development terms characterized as postback. A navigation on a postback does by default not cause a new request to the new URL, but instead loads the target page as content of the response. This is indeed confusing when you merely want page-to-page navigation.
Generally, the right approach as to navigation/redirection depends on the business requirements and the idempotence (read: "bookmarkability") of the request (note: for concrete code examples, see the "See also" links below).
If the request is idempotent, just use a GET form/link instead of POST form (i.e. use <a>, <form>, <h:link> or <h:button> instead of <h:form> and <h:commandXxx>).
For example, page-to-page navigation, Google-like search form, etc.
If the request is non-idempotent, just show results conditionally in the same view (i.e. return null or void from action method and make use of e.g. <h:message(s)> and/or rendered).
For example, in-page data entry/edit, multi-step wizard, modal dialog, confirmation form, etc.
If the request is non-idempotent, but the target page is idempotent, just send a redirect after POST (i.e. return outcome with ?faces-redirect=true from action method, or manually invoke ExternalContext#redirect(), or put <redirect/> in legacy XML navigation case).
For example, showing list of all data after successful editing, redirect after login, etc.
Note that pure page-to-page navigation is usually idempotent and this is where many JSF starters fail by abusing command links/buttons for that and then complain afterwards that URLs don't change. Also note that navigation cases are very rarely used in real world applications which are developed with respect to SEO/UX and this is where many JSF tutorials fail by letting the readers believe otherwise.
Also note that using POST is absolutely not "more secure" than GET because the request parameters aren't immediately visible in URL. They are still visible in HTTP request body and still manipulatable. So there's absolutely no reason to prefer POST for idempotent requests for the sake of "security". The real security is in using HTTPS instead of HTTP and checking in business service methods if currently logged-in user is allowed to query entity X, or to manipulate entity X, etc. A decent security framework offers annotations for this.
See also:
What is the difference between redirect and navigation/forward and when to use what?
JSF implicit vs. explicit navigation
What URL to use to link / navigate to other JSF pages
Bookmarkability via View Parameters feature
What can <f:metadata>, <f:viewParam> and <f:viewAction> be used for?
When should I use h:outputLink instead of h:commandLink?
Creating master-detail pages for entities, how to link them and which bean scope to choose
Retaining GET request query string parameters on JSF form submit
Pass an object between #ViewScoped beans without using GET params
My All Js and css are in script.jsp file and include on every page
<jsp:include page="../include/scripts.jsp" />
when page submit / refresh it reload again and again ?
How to control this ?
Here's an explanation I found that could explain it. It helped me out when i needed it
Here's an explanation of the problem...
Clicking the "submit" button on a form sends a request to the web server, which includes all the data entered on the form. Not only the URL but also the form data is part of the request, and this request is remembered by the browser. If the user clicks "refresh", the browser repeats the request, sending the same URL and form data to the web server again.
But forms can be submitted in two different ways, GET or POST, depending on the "method" attribute of the "form" tag. There is a convention that a GET request has no side-effects; it only fetches data but does not make any changes to the database. On the other hand, if a request changes data it should always use a POST request. As I said, these are only conventions, and there is not much technical difference between them, but a very important difference is that browsers will warn the user if they try to repeat a POST -- clicking "refresh" will pop up a dialog box warning the user that this may cause an operation to be repeated, and confirming that they really want to resubmit. The browser does not show this confirmation when refreshing a GET request.
Is your form using the GET method changing it to POST is the simplest solution, since this will at least mean that the user is warned if they try to refresh.
But a better solution is the POST+REDIRECT+GET idiom suggested by #cletus. This splits the database update (POST) and the view (GET) into two operations. Clicking refresh on the browser then merely repeats the GET, which has no side-effects.
Use the include directive <%# include/> as against the <jsp:include/> tag you're using now.
<jsp:include/> will instruct the jsp runtime to go and fetch the included resource everytime the compiler comes across that tag (first-time requests, refreshes) while <# include/> means that the included resource is built into the parent resource at compile-time
The difference is that the directive is a compile-time include. This means that the content of the directive (in your case scripts.jsp) is baked into the parent jsp (and ultimately the servlet that the jsp will be compiled into). The effect is that the included file is read only the first time the parent jsp is rendered.
What you should have:
<%# include page="../include/scripts.jsp" />
Related:
What is the difference between <jsp:include page = ... > and <%# include file = ... >?
I have a webpage in a WebLogic application server (JSF). Inside that page I have an iFrame which displays an ASP.NET page (with a code-behind dll). Users are authenticated in the JSF page and I want to, somehow, pass the username of the user to the ASPX page inside the iFrame.
What is the easiest way to do this?
You could write it to a session/cookie and read it from within the IFrame page.
Or you could use the DB route, depends on how you would like to implement it.
One of the easiest (but maybe not secure) way to achieve this is using QueryString.
An example for processing the QueryString in the ASP.Net side
Passing variables between pages using QueryString.
From the JSF side, you can pass the parameter like this
<h:outputLink value="aspNetPage.aspx" target="iFrameName">
<h:outputText value="Load asp.net page" />
<f:param name="username" value="#{sessionScope['username']}" />
</h:outputLink>
JSF code based from: JSF 2 Link, CommandLink And OutputLink Example
If you have <img src=""> on your page, the image load will result in another web request to the page that was originally loaded. Is there a way (in ASP.NET) to detect that the web request was the result of being loaded for an <img> tag like this?
The only difference I can find is the HTTP_ACCEPT value of */* for <IMG> requests, vs. a limited HTTP_ACCEPT value for the actual page request. I am fearful that will be too restrictive though.
dont know about built in function, but you can pass some query string parameter from src="..." url, and detect that parameter in the page load event of requested page.