/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 1997-2010 Oracle and/or its affiliates. All rights reserved.
*
* The contents of this file are subject to the terms of either the GNU
* General Public License Version 2 only ("GPL") or the Common Development
* and Distribution License("CDDL") (collectively, the "License"). You
* may not use this file except in compliance with the License. You can
* obtain a copy of the License at
* https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
* or packager/legal/LICENSE.txt. See the License for the specific
* language governing permissions and limitations under the License.
*
* When distributing the software, include this License Header Notice in each
* file and include the License file at packager/legal/LICENSE.txt.
*
* GPL Classpath Exception:
* Oracle designates this particular file as subject to the "Classpath"
* exception as provided by Oracle in the GPL Version 2 section of the License
* file that accompanied this code.
*
* Modifications:
* If applicable, add the following below the License Header, with the fields
* enclosed by brackets [] replaced by your own identifying information:
* "Portions Copyright [year] [name of copyright owner]"
*
* Contributor(s):
* If you wish your version of this file to be governed by only the CDDL or
* only the GPL Version 2, indicate your decision by adding "[Contributor]
* elects to include this software in this distribution under the [CDDL or GPL
* Version 2] license." If you don't indicate a single choice of license, a
* recipient has the option to distribute your version of this file under
* either the CDDL, the GPL Version 2 or to extend the choice of license to
* its licensees as provided above. However, if you add GPL Version 2 code
* and therefore, elected the GPL Version 2 license, then the option applies
* only if the new code is made subject to such option by the copyright
* holder.
*/
package javax.faces.webapp;
import java.io.
IOException;
import java.util.
ArrayList;
import java.util.
Collections;
import java.util.
EnumSet;
import java.util.
ResourceBundle;
import java.util.logging.
Level;
import java.util.logging.
Logger;
import java.util.
Set;
import java.util.
HashSet;
import java.util.
List;
import javax.faces.
FacesException;
import javax.faces.
FactoryFinder;
import javax.faces.application.
ResourceHandler;
import javax.faces.context.
FacesContext;
import javax.faces.context.
FacesContextFactory;
import javax.faces.lifecycle.
Lifecycle;
import javax.faces.lifecycle.
LifecycleFactory;
import javax.servlet.
Servlet;
import javax.servlet.
ServletConfig;
import javax.servlet.
ServletException;
import javax.servlet.
ServletRequest;
import javax.servlet.
ServletResponse;
import javax.servlet.
UnavailableException;
import javax.servlet.annotation.
MultipartConfig;
import javax.servlet.http.
HttpServletRequest;
import javax.servlet.http.
HttpServletResponse;
/**
* <p><strong class="changed_modified_2_0 changed_modified_2_0_rev_a
* changed_modified_2_1 changed_modified_2_2">FacesServlet</strong> is a
* servlet that manages the request processing lifecycle for web
* applications that are utilizing JavaServer Faces to construct the
* user interface.</p>
*
* <div class="changed_added_2_1">
*
* <p>If the application is running in a Servlet 3.0 (and beyond)
* container, the runtime must provide an implementation of the {@link
* javax.servlet.ServletContainerInitializer} interface that declares
* the following classes in its {@link
* javax.servlet.annotation.HandlesTypes} annotation.</p>
* <ul>
* <li>{@link javax.faces.application.ResourceDependencies}</li>
* <li>{@link javax.faces.application.ResourceDependency}</li>
* <li>javax.faces.bean.ManagedBean</li>
* <li>{@link javax.faces.component.FacesComponent}</li>
* <li>{@link javax.faces.component.UIComponent}</li>
* <li>{@link javax.faces.convert.Converter}</li>
* <li>{@link javax.faces.convert.FacesConverter}</li>
* <li>{@link javax.faces.event.ListenerFor}</li>
* <li>{@link javax.faces.event.ListenersFor}</li>
* <li>{@link javax.faces.render.FacesBehaviorRenderer}</li>
* <li>{@link javax.faces.render.Renderer}</li>
* <li>{@link javax.faces.validator.FacesValidator}</li>
* <li>{@link javax.faces.validator.Validator}</li>
* </ul>
* <p>This servlet must automatically be mapped if it is
* <strong>not</strong> explicitly mapped in <code>web.xml</code> or
* <code>web-fragment.xml</code> and one or more of the following
* conditions are true.</p>
* <ul>
* <li><p>A <code>faces-config.xml</code> file is found in
* <code>WEB-INF</code> </p></li>
* <li><p>A <code>faces-config.xml</code> file is found in the
* <code>META-INF</code> directory of a jar in the application's
* classpath.</p></li>
* <li><p>A filename ending in <code>.faces-config.xml</code> is
* found in the <code>META-INF</code> directory of a jar in the
* application's classpath.</p></li>
* <li><p>The <code>javax.faces.CONFIG_FILES</code> context param
* is declared in <code>web.xml</code> or
* <code>web-fragment.xml</code>.</p></li>
* <li><p>The <code>Set</code> of classes passed to the
* <code>onStartup()</code> method of the
* <code>ServletContainerInitializer</code> implementation is not
* empty.</p></li>
* </ul>
* <p>If the runtime determines that the servlet must be automatically
* mapped, it must be mapped to the following
* <<code>url-pattern</code>> entries.</p>
* <ul>
* <li>/faces</li>
* <li>*.jsf</li>
* <li>*.faces</li>
* </ul>
* </div>
* <div class="changed_added_2_2">
*
* <p>This class must be annotated with {@code javax.servlet.annotation.MultipartConfig}.
* This causes the Servlet container in which the JSF implementation is running
* to correctly handle multipart form data.</p>
* <p><strong>Some security considerations relating to this class</strong></p>
* <p>The topic of web application security is a cross-cutting concern
* and every aspect of the specification address it. However, as with
* any framework, the application developer needs to pay careful
* attention to security. Please consider these topics among the rest
* of the security concerns for the application. This is by no means a
* complete list of security concerns, and is no substitute for a
* thorough application level security review.</p>
*
* <ul>
* <p><strong>Prefix mappings and the <code>FacesServlet</code></strong></p>
* <p>If the <code>FacesServlet</code> is mapped using a prefix
* <code><url-pattern></code>, such as
* <code><url-pattern>/faces/*</url-pattern></code>,
* something must be done to prevent access to the view source without
* its first being processed by the <code>FacesServlet</code>. One
* common approach is to apply a <security-constraint> to all
* facelet files and flow definition files. Please see the
* <strong>Deployment Descriptor</strong> chapter of the Java Servlet
* Specification for more information the use of
* <security-constraint>.</p>
* <p><strong>Allowable HTTP Methods</strong></p>
* <p>The JSF specification only requires the use of the GET and POST
* http methods. If your web application does not require any other
* http methods, such as PUT and DELETE, please consider restricting the
* allowable http methods using the <http-method> and
* <http-method-omission> elements. Please see the
* <strong>Security</strong> of the Java Servlet Specification for more
* information the use of these elements.</p>
* </ul>
*
* </div>
*/
@
MultipartConfig
public final class
FacesServlet implements
Servlet {
/*
* A white space separated list of case sensitive HTTP method names
* that are allowed to be processed by this servlet. * means allow all
*/
private static final
String ALLOWED_HTTP_METHODS_ATTR =
"com.sun.faces.allowedHttpMethods";
// Http method names must be upper case. http://www.w3.org/Protocols/HTTP/NoteMethodCS.html
// List of valid methods in Http 1.1 http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9
private enum
HttpMethod {
OPTIONS("OPTIONS"),
GET("GET"),
HEAD("HEAD"),
POST("POST"),
PUT("PUT"),
DELETE("DELETE"),
TRACE("TRACE"),
CONNECT("CONNECT");
private
String name;
HttpMethod(
String name) {
this.
name =
name;
}
@
Override
public
String toString() {
return
name;
}
}
private
Set<
String>
allowedUnknownHttpMethods;
private
Set<
HttpMethod>
allowedKnownHttpMethods;
final private
Set<
HttpMethod>
defaultAllowedHttpMethods =
EnumSet.
range(
HttpMethod.
OPTIONS,
HttpMethod.
CONNECT);
private
Set<
HttpMethod>
allHttpMethods;
private boolean
allowAllMethods;
/**
* <p>Context initialization parameter name for a comma delimited list
* of context-relative resource paths (in addition to
* <code>/WEB-INF/faces-config.xml</code> which is loaded automatically
* if it exists) containing JavaServer Faces configuration information.</p>
*/
public static final
String CONFIG_FILES_ATTR =
"javax.faces.CONFIG_FILES";
/**
* <p>Context initialization parameter name for the lifecycle identifier
* of the {@link Lifecycle} instance to be utilized.</p>
*/
public static final
String LIFECYCLE_ID_ATTR =
"javax.faces.LIFECYCLE_ID";
/**
* The <code>Logger</code> for this class.
*/
private static final
Logger LOGGER =
Logger.
getLogger("javax.faces.webapp", "javax.faces.LogStrings");
/**
* <p>Factory for {@link FacesContext} instances.</p>
*/
private
FacesContextFactory facesContextFactory = null;
/**
* <p>The {@link Lifecycle} instance to use for request processing.</p>
*/
private
Lifecycle lifecycle = null;
/**
* <p>The <code>ServletConfig</code> instance for this servlet.</p>
*/
private
ServletConfig servletConfig = null;
/**
* From GLASSFISH-15632. If true, the FacesContext instance
* left over from startup time has been released.
*/
private boolean
initFacesContextReleased = false;
/**
* <p>Release all resources acquired at startup time.</p>
*/
public void
destroy() {
facesContextFactory = null;
lifecycle = null;
servletConfig = null;
uninitHttpMethodValidityVerification();
}
/**
* <p>Return the <code>ServletConfig</code> instance for this servlet.</p>
*/
public
ServletConfig getServletConfig() {
return (this.
servletConfig);
}
/**
* <p>Return information about this Servlet.</p>
*/
public
String getServletInfo() {
return (this.
getClass().
getName());
}
/**
* <p>Acquire the factory instances we will require.</p>
*
* @throws ServletException if, for any reason, the startup of
* this Faces application failed. This includes errors in the
* config file that is parsed before or during the processing of
* this <code>init()</code> method.
*/
public void
init(
ServletConfig servletConfig) throws
ServletException {
// Save our ServletConfig instance
this.
servletConfig =
servletConfig;
// Acquire our FacesContextFactory instance
try {
facesContextFactory = (
FacesContextFactory)
FactoryFinder.
getFactory
(
FactoryFinder.
FACES_CONTEXT_FACTORY);
} catch (
FacesException e) {
ResourceBundle rb =
LOGGER.
getResourceBundle();
String msg =
rb.
getString("severe.webapp.facesservlet.init_failed");
Throwable rootCause = (
e.
getCause() != null) ?
e.
getCause() :
e;
LOGGER.
log(
Level.
SEVERE,
msg,
rootCause);
throw new
UnavailableException(
msg);
}
// Acquire our Lifecycle instance
try {
LifecycleFactory lifecycleFactory = (
LifecycleFactory)
FactoryFinder.
getFactory(
FactoryFinder.
LIFECYCLE_FACTORY);
String lifecycleId ;
// First look in the servlet init-param set
if (null == (
lifecycleId =
servletConfig.
getInitParameter(
LIFECYCLE_ID_ATTR))) {
// If not found, look in the context-param set
lifecycleId =
servletConfig.
getServletContext().
getInitParameter
(
LIFECYCLE_ID_ATTR);
}
if (
lifecycleId == null) {
lifecycleId =
LifecycleFactory.
DEFAULT_LIFECYCLE;
}
lifecycle =
lifecycleFactory.
getLifecycle(
lifecycleId);
initHttpMethodValidityVerification();
} catch (
FacesException e) {
Throwable rootCause =
e.
getCause();
if (
rootCause == null) {
throw
e;
} else {
throw new
ServletException(
e.
getMessage(),
rootCause);
}
}
}
private void
initHttpMethodValidityVerification() {
assert (null ==
allowedUnknownHttpMethods);
assert (null !=
defaultAllowedHttpMethods);
assert (null ==
allHttpMethods);
allHttpMethods =
EnumSet.
allOf(
HttpMethod.class);
// Configure our permitted HTTP methods
allowedUnknownHttpMethods =
Collections.
emptySet();
allowedKnownHttpMethods =
defaultAllowedHttpMethods;
String[]
methods;
String allowedHttpMethodsString =
servletConfig.
getServletContext().
getInitParameter(
ALLOWED_HTTP_METHODS_ATTR);
if (null !=
allowedHttpMethodsString) {
methods =
allowedHttpMethodsString.
split("\\s+");
assert (null !=
methods); // assuming split always returns a non-null array result
allowedUnknownHttpMethods = new
HashSet(
methods.length);
List<
String>
allowedKnownHttpMethodsStringList = new
ArrayList<
String>();
// validate input against allHttpMethods data structure
for (
String cur :
methods) {
if (
cur.
equals("*")) {
allowAllMethods = true;
allowedUnknownHttpMethods =
Collections.
emptySet();
return;
}
boolean
isKnownHttpMethod;
try {
HttpMethod.
valueOf(
cur);
isKnownHttpMethod = true;
} catch (
IllegalArgumentException e) {
isKnownHttpMethod = false;
}
if (!
isKnownHttpMethod) {
if (
LOGGER.
isLoggable(
Level.
WARNING)) {
HttpMethod []
values =
HttpMethod.
values();
Object []
arg = new
Object[
values.length + 1];
arg[0] =
cur;
System.
arraycopy(
values,
HttpMethod.
OPTIONS.
ordinal(),
arg, 1,
values.length);
LOGGER.
log(
Level.
WARNING,
"warning.webapp.facesservlet.init_invalid_http_method",
arg);
}
// prevent duplicates
if (!
allowedUnknownHttpMethods.
contains(
cur)) {
allowedUnknownHttpMethods.
add(
cur);
}
} else {
// prevent duplicates
if (!
allowedKnownHttpMethodsStringList.
contains(
cur)) {
allowedKnownHttpMethodsStringList.
add(
cur);
}
}
}
// Optimally initialize allowedKnownHttpMethods
if (5 ==
allowedKnownHttpMethodsStringList.
size()) {
allowedKnownHttpMethods =
EnumSet.
of(
HttpMethod.
valueOf(
allowedKnownHttpMethodsStringList.
get(0)),
HttpMethod.
valueOf(
allowedKnownHttpMethodsStringList.
get(1)),
HttpMethod.
valueOf(
allowedKnownHttpMethodsStringList.
get(2)),
HttpMethod.
valueOf(
allowedKnownHttpMethodsStringList.
get(3)),
HttpMethod.
valueOf(
allowedKnownHttpMethodsStringList.
get(4))
);
} else if (4 ==
allowedKnownHttpMethodsStringList.
size()) {
allowedKnownHttpMethods =
EnumSet.
of(
HttpMethod.
valueOf(
allowedKnownHttpMethodsStringList.
get(0)),
HttpMethod.
valueOf(
allowedKnownHttpMethodsStringList.
get(1)),
HttpMethod.
valueOf(
allowedKnownHttpMethodsStringList.
get(2)),
HttpMethod.
valueOf(
allowedKnownHttpMethodsStringList.
get(3))
);
} else if (3 ==
allowedKnownHttpMethodsStringList.
size()) {
allowedKnownHttpMethods =
EnumSet.
of(
HttpMethod.
valueOf(
allowedKnownHttpMethodsStringList.
get(0)),
HttpMethod.
valueOf(
allowedKnownHttpMethodsStringList.
get(1)),
HttpMethod.
valueOf(
allowedKnownHttpMethodsStringList.
get(2))
);
} else if (2 ==
allowedKnownHttpMethodsStringList.
size()) {
allowedKnownHttpMethods =
EnumSet.
of(
HttpMethod.
valueOf(
allowedKnownHttpMethodsStringList.
get(0)),
HttpMethod.
valueOf(
allowedKnownHttpMethodsStringList.
get(1))
);
} else if (1 ==
allowedKnownHttpMethodsStringList.
size()) {
allowedKnownHttpMethods =
EnumSet.
of(
HttpMethod.
valueOf(
allowedKnownHttpMethodsStringList.
get(0))
);
} else {
List<
HttpMethod>
restList =
new
ArrayList<
HttpMethod>(
allowedKnownHttpMethodsStringList.
size() - 1);
for (int
i = 1;
i <
allowedKnownHttpMethodsStringList.
size() - 1;
i++) {
restList.
add(
HttpMethod.
valueOf(
allowedKnownHttpMethodsStringList.
get(
i)
));
}
HttpMethod first =
HttpMethod.
valueOf(
allowedKnownHttpMethodsStringList.
get(0));
HttpMethod []
rest = new
HttpMethod[
restList.
size()];
restList.
toArray(
rest);
allowedKnownHttpMethods =
EnumSet.
of(
first,
rest);
}
}
}
private void
uninitHttpMethodValidityVerification() {
assert (null !=
allowedUnknownHttpMethods);
assert (null !=
defaultAllowedHttpMethods);
assert (null !=
allHttpMethods);
allowedUnknownHttpMethods.
clear();
allowedUnknownHttpMethods = null;
allowedKnownHttpMethods.
clear();
allowedKnownHttpMethods = null;
allHttpMethods.
clear();
allHttpMethods = null;
}
/**
* <p class="changed_modified_2_0"><span
* class="changed_modified_2_2">Process</span> an incoming request,
* and create the corresponding response according to the following
* specification.</p>
*
* <div class="changed_modified_2_0">
*
* <p>If the <code>request</code> and <code>response</code>
* arguments to this method are not instances of
* <code>HttpServletRequest</code> and
* <code>HttpServletResponse</code>, respectively, the results of
* invoking this method are undefined.</p>
*
* <p>This method must respond to requests that <span
* class="changed_modified_2_2">contain</span> the following
* strings by invoking the <code>sendError</code> method on the
* response argument (cast to <code>HttpServletResponse</code>),
* passing the code <code>HttpServletResponse.SC_NOT_FOUND</code> as
* the argument. </p>
*
* <ul>
*
<pre><code>
/WEB-INF/
/WEB-INF
/META-INF/
/META-INF
</code></pre>
*
* </ul>
*
* <p>If none of the cases described above in the specification for
* this method apply to the servicing of this request, the following
* action must be taken to service the request.</p>
* <p>Acquire a {@link FacesContext} instance for this request.</p>
* <p>Acquire the <code>ResourceHandler</code> for this request by
* calling {@link
* javax.faces.application.Application#getResourceHandler}. Call
* {@link
* javax.faces.application.ResourceHandler#isResourceRequest}. If
* this returns <code>true</code> call {@link
* javax.faces.application.ResourceHandler#handleResourceRequest}.
* If this returns <code>false</code>, <span
* class="changed_added_2_2">call {@link
* javax.faces.lifecycle.Lifecycle#attachWindow} followed by </span>
* {@link javax.faces.lifecycle.Lifecycle#execute} followed by
* {@link javax.faces.lifecycle.Lifecycle#render}. If a {@link
* javax.faces.FacesException} is thrown in either case, extract the
* cause from the <code>FacesException</code>. If the cause is
* <code>null</code> extract the message from the
* <code>FacesException</code>, put it inside of a new
* <code>ServletException</code> instance, and pass the
* <code>FacesException</code> instance as the root cause, then
* rethrow the <code>ServletException</code> instance. If the cause
* is an instance of <code>ServletException</code>, rethrow the
* cause. If the cause is an instance of <code>IOException</code>,
* rethrow the cause. Otherwise, create a new
* <code>ServletException</code> instance, passing the message from
* the cause, as the first argument, and the cause itself as the
* second argument.</p>
* <p class="changed_modified_2_0_rev_a">The implementation must
* make it so {@link javax.faces.context.FacesContext#release} is
* called within a finally block as late as possible in the
* processing for the JSF related portion of this request.</p>
* </div>
*
* @param req The servlet request we are processing
* @param resp The servlet response we are creating
*
* @throws IOException if an input/output error occurs during processing
* @throws ServletException if a servlet error occurs during processing
*/
@
Override
public void
service(
ServletRequest req,
ServletResponse resp)
throws
IOException,
ServletException {
HttpServletRequest request = (
HttpServletRequest)
req;
HttpServletResponse response = (
HttpServletResponse)
resp;
requestStart(
request.
getRequestURI()); // V3 Probe hook
if (!
isHttpMethodValid(
request)) {
response.
sendError(
HttpServletResponse.
SC_BAD_REQUEST);
return;
}
if (
Thread.
currentThread().
isInterrupted()) {
if (
LOGGER.
isLoggable(
Level.
FINER)) {
LOGGER.
log(
Level.
FINE, "Thread {0} given to FacesServlet.service() in interrupted state",
Thread.
currentThread().
getName());
}
}
// If prefix mapped, then ensure requests for /WEB-INF are
// not processed.
String pathInfo =
request.
getPathInfo();
if (
pathInfo != null) {
pathInfo =
pathInfo.
toUpperCase();
if (
pathInfo.
contains("/WEB-INF/")
||
pathInfo.
contains("/WEB-INF")
||
pathInfo.
contains("/META-INF/")
||
pathInfo.
contains("/META-INF")) {
response.
sendError(
HttpServletResponse.
SC_NOT_FOUND);
return;
}
}
if (!
initFacesContextReleased) {
FacesContext initFacesContext =
FacesContext.
getCurrentInstance();
if (null !=
initFacesContext) {
initFacesContext.
release();
}
initFacesContextReleased = true;
}
// Acquire the FacesContext instance for this request
FacesContext context =
facesContextFactory.
getFacesContext
(
servletConfig.
getServletContext(),
request,
response,
lifecycle);
// Execute the request processing lifecycle for this request
try {
ResourceHandler handler =
context.
getApplication().
getResourceHandler();
if (
handler.
isResourceRequest(
context)) {
handler.
handleResourceRequest(
context);
} else {
lifecycle.
attachWindow(
context);
lifecycle.
execute(
context);
lifecycle.
render(
context);
}
} catch (
FacesException e) {
Throwable t =
e.
getCause();
if (
t == null) {
throw new
ServletException(
e.
getMessage(),
e);
} else {
if (
t instanceof
ServletException) {
throw ((
ServletException)
t);
} else if (
t instanceof
IOException) {
throw ((
IOException)
t);
} else {
throw new
ServletException(
t.
getMessage(),
t);
}
}
}
finally {
// Release the FacesContext instance for this request
context.
release();
}
requestEnd(); // V3 Probe hook
}
private boolean
isHttpMethodValid(
HttpServletRequest request) {
boolean
result = false;
if (
allowAllMethods) {
result = true;
} else {
String requestMethodString =
request.
getMethod();
HttpMethod requestMethod = null;
boolean
isKnownHttpMethod;
try {
requestMethod =
HttpMethod.
valueOf(
requestMethodString);
isKnownHttpMethod = true;
} catch (
IllegalArgumentException e) {
isKnownHttpMethod = false;
}
if (
isKnownHttpMethod) {
result =
allowedKnownHttpMethods.
contains(
requestMethod);
} else {
result =
allowedUnknownHttpMethods.
contains(
requestMethodString);
}
}
return
result;
}
// --------------------------------------------------------- Private Methods
/**
* DO NOT REMOVE. Necessary for V3 probe monitoring.
*/
@
SuppressWarnings({"UnusedDeclaration"})
private void
requestStart(
String requestUri) { }
/**
* DO NOT REMOVE. Necessary for V3 probe monitoring.
*/
private void
requestEnd() { }
}