org.jboss.seam.ui.renderkit
Class TokenRendererBase

java.lang.Object
  extended by javax.faces.render.Renderer
      extended by org.jboss.seam.ui.util.cdk.RendererBase
          extended by org.jboss.seam.ui.renderkit.TokenRendererBase

public class TokenRendererBase
extends RendererBase

The TokenRendererBase renders the form's signature as a hidden form field for the UIToken component. If the renderStampStore component is enabled, the actually signature will be stored in the session and the key to this token store in the hidden form field, providing the same guarantee for client-side state saving as with server-side state saving.

The form signature is calculated as follows:

 sha1(signature = contextPath + viewId + "," + formClientId + random alphanum, salt = clientUid)
 

The developer can also choose to incorporate the session id into this hash to generate a more secure token (at the cost of binding it to the session) by setting the requireSession attribute to true. Then the calculation becomes:

 sha1(signature = contextPath + viewId + "," + formClientId + "," + random alphanum + sessionId, salt = clientUid)
 

The decode method performs the following steps:

  1. Check if this is a postback, otherwise skip the check
  2. Check that this form was the one that was submitted, otherwise skip the check
  3. Get the unique client identifier (from cookie), otherwise throw an exception that the browser must have unique identifier
  4. Get the javax.faces.FormSignature request parameter, otherwise throw an exception that the form signature is missing
  5. If the renderStampStore component is enabled, retrieve the render stamp from the store using the key stored in the render stamp attribute of the form.
  6. Generate the hash as before and verify that it equals the value of the javax.faces.FormSignature request parameter, otherwise throw an exception

If all of that passes, we are okay to process the form (advance to validate phase as decode() is called in apply request values).

Author:
Dan Allen, Stuart Douglas
See Also:
UnauthorizedCommandException

Field Summary
static java.lang.String FORM_SIGNATURE_PARAM
           
static java.lang.String RENDER_STAMP_ATTR
           
 
Fields inherited from class org.jboss.seam.ui.util.cdk.RendererBase
JAVASCRIPT_NAMESPACE
 
Constructor Summary
TokenRendererBase()
           
 
Method Summary
protected  void doDecode(javax.faces.context.FacesContext context, javax.faces.component.UIComponent component)
          Template method for custom decoding of concrete renderer.
protected  void doEncodeBegin(javax.faces.context.ResponseWriter writer, javax.faces.context.FacesContext context, javax.faces.component.UIComponent component)
          Template method for custom start encoding of concrete renderer.
protected  java.lang.Class getComponentClass()
          Get base component slass , targetted for this renderer.
 
Methods inherited from class org.jboss.seam.ui.util.cdk.RendererBase
decode, doEncodeEnd, doEncodeChildren, encodeBegin, encodeEnd, encodeChildren, getUtils, preDecode, preEncodeBegin, renderChild, renderChildren
 
Methods inherited from class javax.faces.render.Renderer
convertClientId, getConvertedValue, getRendersChildren
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

FORM_SIGNATURE_PARAM

public static final java.lang.String FORM_SIGNATURE_PARAM
See Also:
Constant Field Values

RENDER_STAMP_ATTR

public static final java.lang.String RENDER_STAMP_ATTR
See Also:
Constant Field Values
Constructor Detail

TokenRendererBase

public TokenRendererBase()
Method Detail

getComponentClass

protected java.lang.Class getComponentClass()
Description copied from class: RendererBase
Get base component slass , targetted for this renderer. Used for check arguments in decode/encode.

Specified by:
getComponentClass in class RendererBase

doDecode

protected void doDecode(javax.faces.context.FacesContext context,
                        javax.faces.component.UIComponent component)
Description copied from class: RendererBase
Template method for custom decoding of concrete renderer. All parameters checking if performed in original decode() method.

Overrides:
doDecode in class RendererBase

doEncodeBegin

protected void doEncodeBegin(javax.faces.context.ResponseWriter writer,
                             javax.faces.context.FacesContext context,
                             javax.faces.component.UIComponent component)
                      throws java.io.IOException
Description copied from class: RendererBase
Template method for custom start encoding of concrete renderer. All parameters checking and writer is performed in original encodeBegin() method.

Overrides:
doEncodeBegin in class RendererBase
Throws:
java.io.IOException


Copyright © 2010 JBoss. All Rights Reserved.