Uploaded image for project: 'PUBLIC - Liferay Faces'
  1. PUBLIC - Liferay Faces
  2. FACES-3134

Enable javax.faces.ALWAYS_PERFORM_VALIDATION_WHEN_REQUIRED_IS_TRUE by default

    Details

      Description

      The JSF 2.3 Expert Group improved security for UIInput components with required="true" via JAVASERVERFACES_SPEC_PUBLIC-1433. However, the improved security is disabled by default in order to maintain strict backward compatibility.

      This task involves creating a META-INF/web-fragment.xml descriptor in the master, 4.x, and 3.x branches of the liferay-faces-util project so that all projects that use Liferay Faces will have the improved security enabled by default:

      META-INF/web-fragment.xml
      <context-param>
      	<param-name>javax.faces.ALWAYS_PERFORM_VALIDATION_WHEN_REQUIRED_IS_TRUE</param-name>
      	<param-value>true</param-value>
      </context-param>
      

      It is not possible to add a META-INF/web-fragment.xml descriptor in the 1.x branch since web-fragment is a Servlet 3.0 feature and the 1.x branch assumes a Servlet 2.5 environment.

      Instead, the context-param must be added to each demo portlet individually, such as the jsf-applicant-portlet, etc.

      In order to take full advantage of this improved security, developers will need to use JSF 2.3 or upgrade to versions of JSF 2.2, 2.1, or 1.2 that have the improved security feature backported.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Packages

                  Version Package
                  util-1.1.0
                  util-2.1.0
                  bridge-impl-2.1.0
                  util-3.1.0