javaserverfaces-spec-public
  1. javaserverfaces-spec-public
  2. JAVASERVERFACES_SPEC_PUBLIC-1246

Prevent jumping into a flow without going through the front door.

    Details

    • Type: New Feature New Feature
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 2.2
    • Fix Version/s: None
    • Component/s: Flow
    • Labels:
      None

      Description

      RS> One observation is with regards to access to flow scoped data. When
      RS> using the provided buttons, everything works as it should, i.e. flow
      RS> scoped data is created at the point of entering the flow and
      RS> destroyed when the flow is exited. However, it is easy to bypass the
      RS> entry and exit points. For example I can go directly to a page
      RS> associated with a flow without entering the flow, and if the page
      RS> tries to access flow data, the result would be
      RS> ContextNotActiveException.

      One could argue that such an exception is the right response. The
      context is indeed not active. However, if you are not using any flow
      scoped data, such an exception would not be thrown, and it would give
      the impression that the navigation is supported.

      I think we can add some language to the spec to detect these "jump in"
      cases.

        Activity

        Ed Burns created issue -
        Hide
        Ed Burns added a comment -

        Rossen wrote:

        When flows are defined under the web application's root, I can easily access
        their source from a browser which is a security concern. I can see there is
        an example that puts the flow definition under WEB-INF but the pages are
        still under the web application root and hence the flow is in two different
        places. It would be useful to be able to keep a flow with all its files in a
        folder under WEB-INF.

        Show
        Ed Burns added a comment - Rossen wrote: When flows are defined under the web application's root, I can easily access their source from a browser which is a security concern. I can see there is an example that puts the flow definition under WEB-INF but the pages are still under the web application root and hence the flow is in two different places. It would be useful to be able to keep a flow with all its files in a folder under WEB-INF.
        Hide
        Ed Burns added a comment -

        Set priority to baseline ahead of JSF 2.3 triage. Priorities will be assigned accurately after this exercise.

        Show
        Ed Burns added a comment - Set priority to baseline ahead of JSF 2.3 triage. Priorities will be assigned accurately after this exercise.
        Ed Burns made changes -
        Field Original Value New Value
        Priority Major [ 3 ] Trivial [ 5 ]
        Fix Version/s 2.3 [ 16372 ]
        Ed Burns made changes -
        Priority Trivial [ 5 ] Major [ 3 ]

          People

          • Assignee:
            Unassigned
            Reporter:
            Ed Burns
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated: