public abstract class ResponseStateManager
extends java.lang.Object
ResponseStateManager is the helper class to
StateManager
that knows the specific rendering technology being used to generate
the response. It is a singleton abstract class, vended by the RenderKit
. This class knows the mechanics of
saving state, whether it be in hidden fields, session, or some combination of the two.
Modifier and Type | Field and Description |
---|---|
static java.lang.String |
CLIENT_WINDOW_PARAM
The name of the hidden field that refers to the encoded ClientWindow. |
static java.lang.String |
CLIENT_WINDOW_URL_PARAM
The name of the URL query parameter for transmitting the client window id. |
static java.lang.String |
NON_POSTBACK_VIEW_TOKEN_PARAM
The value of this constant is taken to be the name of a request parameter whose value is inspected to verify the
safety of an incoming non-postback request with respect to the currently configured |
static java.lang.String |
RENDER_KIT_ID_PARAM
The name of the request parameter used by the default implementation of
ViewHandler.calculateRenderKitId(jakarta.faces.context.FacesContext) to derive a RenderKit ID. |
static java.lang.String |
VIEW_STATE_PARAM
Implementations must use this constant field value as
the name of the client parameter in which to save the state between requests.
|
Constructor and Description |
---|
ResponseStateManager() |
Modifier and Type | Method and Description |
---|---|
java.lang.String |
getCryptographicallyStrongTokenFromSession(FacesContext context)
Compliant implementations must return a cryptographically strong token for use to protect views in this application. |
java.lang.Object |
getState(FacesContext context,
java.lang.String viewId)
The implementation must inspect the current request and return an Object
representing the tree structure and component state passed in to a previous invocation of
writeState(jakarta.faces.context.FacesContext,java.lang.Object) . |
java.lang.String |
getViewState(FacesContext context,
java.lang.Object state)
Return the specified state as a
String without any markup related to the rendering technology supported
by this ResponseStateManager. |
boolean |
isPostback(FacesContext context)
Return true if the current request is a postback.
|
boolean |
isStateless(FacesContext context,
java.lang.String viewId)
If the preceding call to |
void |
writeState(FacesContext context,
java.lang.Object state)
Take the argument
state and write it into the output using the
current ResponseWriter , which must be correctly positioned already. |
public static final java.lang.String RENDER_KIT_ID_PARAM
The name of the request parameter used by the default implementation of
ViewHandler.calculateRenderKitId(jakarta.faces.context.FacesContext)
to derive a RenderKit ID.
public static final java.lang.String VIEW_STATE_PARAM
Implementations must use this constant field value as
the name of the client parameter in which to save the state between requests. The
id
attribute must be a concatenation of the return from
UIComponent.getContainerClientId(jakarta.faces.context.FacesContext)
, the return from
UINamingContainer.getSeparatorChar(jakarta.faces.context.FacesContext)
, this constant field value, the separator char,
and a number that is guaranteed to be unique with respect to all the other instances of this kind of client parameter
in the view.
It is strongly recommend that implementations guard against cross site scripting attacks by at least making the value of this parameter difficult to predict.
public static final java.lang.String CLIENT_WINDOW_PARAM
The name of the hidden field that refers to the encoded ClientWindow. This field is only used if
ClientWindow.CLIENT_WINDOW_MODE_PARAM_NAME
is not "none". The id
attribute must be a concatenation of the return from UIComponent.getContainerClientId(jakarta.faces.context.FacesContext)
,
the return from UINamingContainer.getSeparatorChar(jakarta.faces.context.FacesContext)
, this constant field value, the
separator char, and a number that is guaranteed to be unique with respect to all the other instances of this kind of
client parameter in the view. The value of this parameter is the return from
ClientWindow.getId()
.
public static final java.lang.String CLIENT_WINDOW_URL_PARAM
The name of the URL query parameter for transmitting the client window id. This parameter is only used if
ClientWindow.CLIENT_WINDOW_MODE_PARAM_NAME
is not "none". The name of the parameter
is given by the constant value of this field. The value of this parameter is the return from
ClientWindow.getId()
.
public static final java.lang.String NON_POSTBACK_VIEW_TOKEN_PARAM
The value of this constant is taken to be the name of a request parameter whose value is inspected to verify the
safety of an incoming non-postback request with respect to the currently configured Set
of protected
views for this application.
public void writeState(FacesContext context, java.lang.Object state) throws java.io.IOException
Take the argument state
and write it into the output using the
current ResponseWriter
, which must be correctly positioned already.
Call FacesContext.getViewRoot()
. If StateHolder.isTransient()
returns
true
, take implementation specific action so that the following call to isStateless(jakarta.faces.context.FacesContext, java.lang.String)
returns
true
and return. Otherwise, proceed as follows.
If the state is to be written out to hidden fields, the implementation must take care to make all necessary character replacements to make the Strings suitable for inclusion as an HTTP request paramater.
If the state saving method for this application is
StateManager.STATE_SAVING_METHOD_CLIENT
, the implementation
must encrypt the state to be saved to the client
in a tamper evident manner.
If the state saving method for this application is
StateManager.STATE_SAVING_METHOD_SERVER
, and the current request is an
Ajax
request PartialViewContext.isAjaxRequest()
returns true
),
use the current view state identifier if it is available (do not generate a new identifier).
Write out the render kit identifier associated with this ResponseStateManager
implementation with the
name as the value of the String
constant ResponseStateManager.RENDER_KIT_ID_PARAM
. The
render kit identifier must not be written if:
Application.getDefaultRenderKitId()
orjakarta.faces.render.RenderKitFactory.HTML_BASIC_RENDER_KIT
and Application.getDefaultRenderKitId()
returns null
.
The ClientWindow
must be written using these steps. Call
ExternalContext.getClientWindow()
. If the result is null
, take no further
action regarding the ClientWindow
. If the result is non-null
, write a hidden field whose
name is CLIENT_WINDOW_PARAM
and whose id is
<VIEW_ROOT_CONTAINER_CLIENT_ID><SEP>jakarta.faces.ClientWindow<SEP><UNIQUE_PER_VIEW_NUMBER>
where <SEP> is the currently configured UINamingContainer.getSeparatorChar()
.
<VIEW_ROOT_CONTAINER_CLIENT_ID> is the return from UIViewRoot.getContainerClientId()
on the view
from whence this state originated. <UNIQUE_PER_VIEW_NUMBER> is a number that must be unique within this view,
but must not be included in the view state. The value of the field is implementation dependent but must uniquely
identify this window within the user's session.
context
- The FacesContext
instance for the current requeststate
- The serialized state information previously savedjava.io.IOException
- if the state argument is not an array of length 2.public boolean isStateless(FacesContext context, java.lang.String viewId)
If the preceding call to writeState(jakarta.faces.context.FacesContext, java.lang.Object)
was stateless,
return true
. If the preceding call to writeState()
was stateful, return false
. Otherwise
throw IllegalStateException
.
To preserve backward compatibility with custom implementations that may have extended from an earlier version of this
class, an implementation is provided that returns false
. A compliant implementation must override this
method to take the specified action.
context
- The FacesContext
instance for the current requestviewId
- View identifier of the view to be restoredjava.lang.NullPointerException
- if the argument context
is null
.java.lang.IllegalStateException
- if this method is invoked and the statefulness of the preceding call to
writeState(jakarta.faces.context.FacesContext, java.lang.Object)
cannot be determined.public java.lang.Object getState(FacesContext context, java.lang.String viewId)
The implementation must inspect the current request and return an Object
representing the tree structure and component state passed in to a previous invocation of
writeState(jakarta.faces.context.FacesContext,java.lang.Object)
.
If the state saving method for this application is
StateManager.STATE_SAVING_METHOD_CLIENT
, writeState()
will have
encrypted the state in a tamper evident manner. If the state fails to decrypt, or decrypts but indicates evidence of
tampering, a ProtectedViewException
must be thrown.
context
- The FacesContext
instance for the current requestviewId
- View identifier of the view to be restoredwriteState
. If this is an initial
request, this method returns null
.public boolean isPostback(FacesContext context)
Return true if the current request is a postback. This method is leveraged from the Restore View Phase to
determine if ViewHandler.restoreView(jakarta.faces.context.FacesContext, java.lang.String)
or
ViewHandler.createView(jakarta.faces.context.FacesContext, java.lang.String)
should be called. The default implementation must return
true
if this ResponseStateManager
instance wrote out state on a previous request to which
this request is a postback, false
otherwise.
The implementation of this method for the Standard HTML RenderKit must consult the
ExternalContext
's requestParameterMap
and return true
if and
only if there is a key equal to the value of the symbolic constant VIEW_STATE_PARAM
.
For backwards compatibility with implementations of ResponseStateManager
prior to Jakarta Faces
1.2, a default implementation is provided that consults the ExternalContext
's
requestParameterMap
and return true
if its size is greater than 0.
context
- the FacesContext
for the current request.public java.lang.String getViewState(FacesContext context, java.lang.Object state)
Return the specified state as a String
without any markup related to the rendering technology supported
by this ResponseStateManager.
context
- the FacesContext
for the current requeststate
- the state from which the String version will be generated frompublic java.lang.String getCryptographicallyStrongTokenFromSession(FacesContext context)
Compliant implementations must return a cryptographically strong token for use to protect views in this application.
For backwards compatibility with earlier revisions, a default implementation is provided that simply returns
null
.
context
- the FacesContext
for the current request