I moved a JSF application from Galssfish 3.1.2 to Glassfish 4.0 and I thought the new server release was completely back compatible.
I found out it is not.
I used an outdated library, Primefaces 2.X, and some components stopped working properly, at least <p:tabview>. Common sense suggests to pass to a newer library such as Primafaces 3.5, but that way I have to modify my xhtml pages. Cannot find a compatibility matrix anywhere, nor a migration tutorial. Can you help ?
There is at least another weird problem outside those related to the Primefaces library.
I have a quite complex page and till now I couldn't isolate the problem to a simpler scenario.
In this page I have an <ui:repeat> tag and then a form with a button.
The button is configured to send Ajax request and update (render) only a single ui component.
At the 3rd Ajax request it stops working and I get an error saying there is a duplicate ID corresponding to the <ui:repeat> tag.
Any idea ?
Is there a migration guide from Glassfish 3.1.2 to Glassfish 4.0 which gives hints on what has changed and how to modify existing applications ?
Update
I found the following post which deals about the last problem I'm talkin about
Component ID xxx has already been found in the view.
Unfortunately I cannot understand how to solve it despite it has an accepted answer !
This is one of the many bugs that were released with GF4.
I would suggest either waiting for the next release of GF (if you need a released version) or update GF to the latest JSF release (Currently 2.2.8 I think).
JSF implementation jars
JEE7 APIs
JSF current and older bugs
Related
We have projects using Struts 2.0 and 2.1.
We're using web-hosting with Tomcat and both projects are working fine on remote servers. Recently, we got warning message from the webhosting provider, like:
This notice is inform you that recently numerous vulnerabilities have been discovered related to Struts and Struts2 frameworks and other frameworks which use OGNL classes.
Since your application is using Struts or Struts2 framework, we HIGHLY recommend that you URGENTLY update it to the most recent version: Struts v2.3.16.1
After research, we found there're consistent upgrades:
http://struts.apache.org/announce.html
Therefore, we tried to upgrade our Struts2 to 2.3.16.3 (latest version at present). However, we found it's not a trivial task to upgrade Struts2, since everything doesn't work, including AJAX tags, AJX form submit, auto-complete, etc. In this sense, Struts 2 is not well designed for scalability.
One example is that whenever we submit our AJAX form, the result will be in a new page instead of in the targets field defined in the sx:submit or sj:submit tag. We don't want to re-write all the codes just because of the upgrade.
We want to know if we don't upgrade Struts2 to the latest version, what kind of vulnerabilities our web application will face. Could anyone give us more details or any hint for solutions based on our situation? Thanks so much.
You are probably looking for Security Bulletins. Each documents describe the summary, problem, and solution to resolve the problem. At the end of each document you can find hotfixes if they are available.
One example is that whenever we submit our ajax form, the result will
be in a new page instead of in the targets field defined in the
sx:submit or sj:submit tag.
It seems you are using struts2 and struts 2 jquery plugin, so try to update to struts 2 jquery 3.7.0 too.
I recommend to accept some reworks and upgrade as some security issues are high.
There are some key parts which has changed and may need to be considered during upgrade like acceptableParameterName. Also review your param interceptor stack and list of exclude parameters.
What are the major differences between primefaces version 3.5.x and 4.x besides the obvious java-ee-7 compliance in the 4.x versions? Has version 4.x been rewritten internally? If so what are the differences? I am currently using primefaces 3.5.20, so many of the new or updated components are already available. Has there been any work to streamline ajax throughput?
There are many improvements:
The main one is the integration with jsf-2.2 specification. As JSF 2.2 is servlet 3.x compatible, the file upload system has changed in order to take advantage of servlet 3.x features and make it in html 5 way. It also includes support for HTML pass through attributes, included at JSF 2.2 and able to include non-JSF attributes at the rendered page.
Client Side Validation Framework: I still have to try that, but one of the lacks of vanilla-plain JSF is the absence of client side validation. JSF is known for being a server side framework. However, sometimes client validation is also convenient in order to bring the end user a greater experience. Primefaces 4 is supposed to include that (in fact they've been working to adapt their aproach to HTML5 standards).
Search expressions: Something in JSF that can puzzle you is searching the component ids at client side. JSF uses its own preffixed identifiers, so sometimes it is difficult to search for what you want. JSF 2.2 provides a set of keywords: "#this", "#form", "#all", "#none", in order to simplify what you want to make a reference to. In primefaces 4 apart from that, you've got #composite which resolves the closest CompositeComponent parent, #widgetVar(name) which resolves a component by its widgetVar and #child(index) which resolves the nth child.
Lots of bug fixes and component improvements, some of them have been done in parallel with 3.5.x series.
About ajax perfomance, I know there have been some issues in concrete cases, but apart from fixing them and adding new capabilities to their jquery-ajax utilities, I'm not aware about more improvements.
See also:
Primefaces 4 improvements
Default text (placeholder) in InputText component
Search expressions in PrimeFaces 4
My project was using older versions of Struts2 (2.0.x)
Now we are planning to upgrade Struts2 version which has some improvements and bug fixes.
I updated the pom.xml as per that. However I found out that in my old strtus2-core lib, there's
org.apache.struts2.views.util.TextUtil
But in latest version it's not there and I am facing compilation errors.
Any idea why it's missing or how do i get it?
Indeed org.apache.struts2.views.util.TextUtil was removed from Struts 2 after 2.1.6. You have a few options.
First, as Jaiwo99 indicated, Struts 2 is licensed under the Apache License v2, so you can just take a copy of the source for TextUtil from Struts 2.1.6 and put it in your application. The class has no dependencies on other code, so it should work fine.
Second, you could look at using StringEscapeUtils from Apache Commons Lang 3, which is now used by Struts2 for escaping HTML and JavaScript. Specifically, look at StringEscapeUtils.escapeHtml4() method.
Could it be this one?
com.opensymphony.xwork2.util.TextParserUtil
I'm trying to develop an application using JSF, primefaces, Tomcat7.
When I execute an ajax event, I get this warning:
17-ott-2012 9.26.04 org.apache.myfaces.trinidadinternal.context.PartialViewContextImpl getPartialResponseWriter
AVVERTENZA: getPartialResponseWriter() called during render_reponse. The returned writer is not integrated with PPRResponseWriter
What does it means? What do I have to do to integrate it?
In my server log, on startup, I find some messages about some web context parameters not found. May it be related to the previous warning?
Thanks for your help!!
This class is specific to MyFaces Trinidad. Apparently you're mixing Trinidad with PrimeFaces and it's not working very well. Since you didn't mention anything about Trinidad in your question, it's perhaps a leftover of previous experiments to play around with several component libraries. You might want to remove it before using PrimeFaces.
I came across an article Open source library with vulnerabilities.
This article states that
"Spring Expression Language (SpEL) could be exploited through HTTP parameter submissions that would allow attackers to get sensitive system data, application and user cookies."
Can someone shed more light on this, please ?
The discovery by Aspect Security was found in January 2013, but the fix that SpringSource published was made available back in 2011 when this was first discovered. Dan Amodio of Aspect Security informed SpringSource about the possibility of remote code execution.
SpringSource updated our security report 12-06-2012 with Aspect Security’s finding – but the fix/mitigation listed in the original advisory is still applicable: http://support.springsource.com/security/cve-2011-2730
This vulnerability only affects Spring Framework versions:
• 3.0.0 to 3.0.5 -- upgrading to 3.0.6 here would solve the issue.
• 2.5.0 to 2.5.6.SEC02 (community releases) -- upgrading to 2.5.6.SEC03 here would solve the issue.
• 2.5.0 to 2.5.7.SR01 (subscription customers) -- upgrading to 2.5.7.SR02 here would solve the issue.
This has been fixed in all versions going forward – the current release of SpringFramework is 3.2, released in Dec 2012.
Thanks,
-Pieter (SpringSource)
Checkout this Aspect Security/Minded Security evaluation of SpEL (google docs link) which the article you link to is probably referring (for the specific case of SpEL).
They describe how certain spring JSP tags double evaluate EL expressions. In these cases it may be possible for the user to submit data to the server in the form of SpEL e.g. as a request parameter with value ${bean.val} (URL encoded)
http://...?exp=$%7Bbean.val%7D
Inside JSP pages, the expression ${param.exp} will be resolved to the text ${bean.val} which by itself is safe. If however, that expression resides within an attribute of a spring JSTL tag, that resolved value may be evaluated again e.g. in the spring:message tag:
<spring:message message="${param.exp}" />
will result in the value ${bean.val} being passed through to the spring:message tag which will evaluate the bean.getVal() method. Hence we now have code submitted by the client and being run on the server.