Class ResponseStateManager
ResponseStateManager is the helper class to
StateManager
that knows the specific rendering technology being used to generate
the response. It is a singleton abstract class, vended by the RenderKit
. This class knows the mechanics of
saving state, whether it be in hidden fields, session, or some combination of the two.
-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
The name of the hidden field that refers to the encoded ClientWindow.static final String
The name of the URL query parameter for transmitting the client window id.static final String
The value of this constant is taken to be the name of a request parameter whose value is inspected to verify the safety of an incoming non-postback request with respect to the currently configuredSet
of protected views for this application.static final String
The name of the request parameter used by the default implementation ofViewHandler.calculateRenderKitId(jakarta.faces.context.FacesContext)
to derive a RenderKit ID.static final String
Implementations must use this constant field value as the name of the client parameter in which to save the state between requests. -
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptiongetComponentStateToRestore
(FacesContext context) Deprecated.Compliant implementations must return a cryptographically strong token for use to protect views in this application.getState
(FacesContext context, String viewId) The implementation must inspect the current request and return an Object representing the tree structure and component state passed in to a previous invocation ofwriteState(jakarta.faces.context.FacesContext,java.lang.Object)
.getTreeStructureToRestore
(FacesContext context, String viewId) Deprecated.This method has been replaced bygetState(jakarta.faces.context.FacesContext, java.lang.String)
.getViewState
(FacesContext context, Object state) Return the specified state as aString
without any markup related to the rendering technology supported by this ResponseStateManager.boolean
isPostback
(FacesContext context) Return true if the current request is a postback.boolean
isStateless
(FacesContext context, String viewId) If the preceding call towriteState(jakarta.faces.context.FacesContext, java.lang.Object)
was stateless, returntrue
.void
writeState
(FacesContext context, StateManager.SerializedView state) Deprecated.This method has been replaced bywriteState(jakarta.faces.context.FacesContext,java.lang.Object)
.void
writeState
(FacesContext context, Object state) Take the argumentstate
and write it into the output using the currentResponseWriter
, which must be correctly positioned already.
-
Field Details
-
RENDER_KIT_ID_PARAM
The name of the request parameter used by the default implementation of
ViewHandler.calculateRenderKitId(jakarta.faces.context.FacesContext)
to derive a RenderKit ID.- See Also:
-
VIEW_STATE_PARAM
Implementations must use this constant field value as the name of the client parameter in which to save the state between requests. The
id
attribute must be a concatenation of the return fromUIComponent.getContainerClientId(jakarta.faces.context.FacesContext)
, the return fromUINamingContainer.getSeparatorChar(jakarta.faces.context.FacesContext)
, this constant field value, the separator char, and a number that is guaranteed to be unique with respect to all the other instances of this kind of client parameter in the view.It is strongly recommend that implementations guard against cross site scripting attacks by at least making the value of this parameter difficult to predict.
- Since:
- 1.2
- See Also:
-
CLIENT_WINDOW_PARAM
The name of the hidden field that refers to the encoded ClientWindow. This field is only used if
ClientWindow.CLIENT_WINDOW_MODE_PARAM_NAME
is not "none". Theid
attribute must be a concatenation of the return fromUIComponent.getContainerClientId(jakarta.faces.context.FacesContext)
, the return fromUINamingContainer.getSeparatorChar(jakarta.faces.context.FacesContext)
, this constant field value, the separator char, and a number that is guaranteed to be unique with respect to all the other instances of this kind of client parameter in the view. The value of this parameter is the return fromClientWindow.getId()
.- Since:
- 2.2
- See Also:
-
CLIENT_WINDOW_URL_PARAM
The name of the URL query parameter for transmitting the client window id. This parameter is only used if
ClientWindow.CLIENT_WINDOW_MODE_PARAM_NAME
is not "none". The name of the parameter is given by the constant value of this field. The value of this parameter is the return fromClientWindow.getId()
.- Since:
- 2.2
- See Also:
-
NON_POSTBACK_VIEW_TOKEN_PARAM
The value of this constant is taken to be the name of a request parameter whose value is inspected to verify the safety of an incoming non-postback request with respect to the currently configured
Set
of protected views for this application.- Since:
- 2.2
- See Also:
-
-
Constructor Details
-
ResponseStateManager
public ResponseStateManager()
-
-
Method Details
-
writeState
Take the argument
state
and write it into the output using the currentResponseWriter
, which must be correctly positioned already.Call
FacesContext.getViewRoot()
. IfStateHolder.isTransient()
returnstrue
, take implementation specific action so that the following call toisStateless(jakarta.faces.context.FacesContext, java.lang.String)
returnstrue
and return. Otherwise, proceed as follows.If the state is to be written out to hidden fields, the implementation must take care to make all necessary character replacements to make the Strings suitable for inclusion as an HTTP request paramater.
If the state saving method for this application is
StateManager.STATE_SAVING_METHOD_CLIENT
, the implementation must encrypt the state to be saved to the client in a tamper evident manner.If the state saving method for this application is
StateManager.STATE_SAVING_METHOD_SERVER
, and the current request is anAjax
requestPartialViewContext.isAjaxRequest()
returnstrue
), use the current view state identifier if it is available (do not generate a new identifier).Write out the render kit identifier associated with this
ResponseStateManager
implementation with the name as the value of theString
constantResponseStateManager.RENDER_KIT_ID_PARAM
. The render kit identifier must not be written if:- it is the default render kit identifier as returned by
Application.getDefaultRenderKitId()
or - the render kit identfier is the value of
jakarta.faces.render.RenderKitFactory.HTML_BASIC_RENDER_KIT
andApplication.getDefaultRenderKitId()
returnsnull
.
For backwards compatability with existing
ResponseStateManager
implementations, the default implementation of this method checks if the argument is an instance ofSerializedView
. If so, it calls through towriteState(jakarta.faces.context.FacesContext,jakarta.faces.application.StateManager.SerializedView)
. If not, it expects the state to be a two element Object array. It creates an instance ofSerializedView
and stores the state as the treeStructure, and passes it towriteState(jakarta.faces.context.FacesContext,jakarta.faces.application.StateManager.SerializedView)
.The
ClientWindow
must be written using these steps. CallExternalContext.getClientWindow()
. If the result isnull
, take no further action regarding theClientWindow
. If the result is non-null
, write a hidden field whose name isCLIENT_WINDOW_PARAM
and whose id is<VIEW_ROOT_CONTAINER_CLIENT_ID><SEP>jakarta.faces.ClientWindow<SEP><UNIQUE_PER_VIEW_NUMBER>
where <SEP> is the currently configuredUINamingContainer.getSeparatorChar()
. <VIEW_ROOT_CONTAINER_CLIENT_ID> is the return fromUIViewRoot.getContainerClientId()
on the view from whence this state originated. <UNIQUE_PER_VIEW_NUMBER> is a number that must be unique within this view, but must not be included in the view state. The value of the field is implementation dependent but must uniquely identify this window within the user's session.- Parameters:
context
- TheFacesContext
instance for the current requeststate
- The serialized state information previously saved- Throws:
IOException
- if the state argument is not an array of length 2.- Since:
- 1.2
- it is the default render kit identifier as returned by
-
writeState
@Deprecated public void writeState(FacesContext context, StateManager.SerializedView state) throws IOException Deprecated.This method has been replaced bywriteState(jakarta.faces.context.FacesContext,java.lang.Object)
. The default implementation creates a two elementObject
array with the first element being the return from callingStateManager.SerializedView.getStructure()
, and the second being the return fromStateManager.SerializedView.getState()
. It then passes thisObject
array towriteState(jakarta.faces.context.FacesContext, java.lang.Object)
.Take the argument
state
and write it into the output using the currentResponseWriter
, which must be correctly positioned already.If the
StateManager.SerializedView
is to be written out to hidden fields, the implementation must take care to make all necessary character replacements to make the Strings suitable for inclusion as an HTTP request paramater.If the state saving method for this application is
StateManager.STATE_SAVING_METHOD_CLIENT
, the implementation may encrypt the state to be saved to the client. We recommend that the state be unreadable by the client, and also be tamper evident. The reference implementation follows these recommendations.- Parameters:
context
- TheFacesContext
instance for the current requeststate
- The serialized state information previously saved- Throws:
IOException
- if the state cannot be written for any reason
-
isStateless
If the preceding call to
writeState(jakarta.faces.context.FacesContext, java.lang.Object)
was stateless, returntrue
. If the preceding call towriteState()
was stateful, returnfalse
. Otherwise throwIllegalStateException
.To preserve backward compatibility with custom implementations that may have extended from an earlier version of this class, an implementation is provided that returns
false
. A compliant implementation must override this method to take the specified action.- Parameters:
context
- TheFacesContext
instance for the current requestviewId
- View identifier of the view to be restored- Returns:
- the value of the statelessness of this run through the lifecycle.
- Throws:
NullPointerException
- if the argumentcontext
isnull
.IllegalStateException
- if this method is invoked and the statefulness of the preceding call towriteState(jakarta.faces.context.FacesContext, java.lang.Object)
cannot be determined.- Since:
- 2.2
-
getState
The implementation must inspect the current request and return an Object representing the tree structure and component state passed in to a previous invocation of
writeState(jakarta.faces.context.FacesContext,java.lang.Object)
.If the state saving method for this application is
StateManager.STATE_SAVING_METHOD_CLIENT
,writeState()
will have encrypted the state in a tamper evident manner. If the state fails to decrypt, or decrypts but indicates evidence of tampering, aProtectedViewException
must be thrown.For backwards compatability with existing
ResponseStateManager
implementations, the default implementation of this method callsgetTreeStructureToRestore(jakarta.faces.context.FacesContext, java.lang.String)
andgetComponentStateToRestore(jakarta.faces.context.FacesContext)
and creates and returns a two elementObject
array with element zero containing thestructure
property and element one containing thestate
property of theSerializedView
.- Parameters:
context
- TheFacesContext
instance for the current requestviewId
- View identifier of the view to be restored- Returns:
- the tree structure and component state Object passed in to
writeState
. If this is an initial request, this method returnsnull
. - Since:
- 1.2
-
getTreeStructureToRestore
Deprecated.This method has been replaced bygetState(jakarta.faces.context.FacesContext, java.lang.String)
. The default implementation returnsnull
.The implementation must inspect the current request and return the tree structure Object passed to it on a previous invocation of
writeState()
.- Parameters:
context
- TheFacesContext
instance for the current requestviewId
- View identifier of the view to be restored- Returns:
- the tree structure portion of the state
-
getComponentStateToRestore
Deprecated.This method has been replaced bygetState(jakarta.faces.context.FacesContext, java.lang.String)
. The default implementation returnsnull
.The implementation must inspect the current request and return the component state Object passed to it on a previous invocation of
writeState()
.- Parameters:
context
- TheFacesContext
instance for the current request- Returns:
- the component state portion of the state
-
isPostback
Return true if the current request is a postback. This method is leveraged from the Restore View Phase to determine if
ViewHandler.restoreView(jakarta.faces.context.FacesContext, java.lang.String)
orViewHandler.createView(jakarta.faces.context.FacesContext, java.lang.String)
should be called. The default implementation must returntrue
if thisResponseStateManager
instance wrote out state on a previous request to which this request is a postback,false
otherwise.The implementation of this method for the Standard HTML RenderKit must consult the
ExternalContext
'srequestParameterMap
and returntrue
if and only if there is a key equal to the value of the symbolic constantVIEW_STATE_PARAM
.For backwards compatibility with implementations of
ResponseStateManager
prior to Jakarta Server Faces 1.2, a default implementation is provided that consults theExternalContext
'srequestParameterMap
and returntrue
if its size is greater than 0.- Parameters:
context
- theFacesContext
for the current request.- Returns:
- the value as specified above
- Since:
- 1.2
-
getViewState
Return the specified state as a
String
without any markup related to the rendering technology supported by this ResponseStateManager.- Parameters:
context
- theFacesContext
for the current requeststate
- the state from which the String version will be generated from- Returns:
- the view state for this request without any markup specifics
- Since:
- 2.0
-
getCryptographicallyStrongTokenFromSession
Compliant implementations must return a cryptographically strong token for use to protect views in this application. For backwards compatability with earlier revisions, a default implementation is provided that simply returns
null
.- Parameters:
context
- theFacesContext
for the current request- Returns:
- a cryptographically strong value
- Since:
- 2.2
-
getState(jakarta.faces.context.FacesContext, java.lang.String)
.