<protected-views><url-pattern> does not work as per Servlet 12.1 and is compared against JSF view ID instead of request URL

[eclipse-faces-bot]

Trigger: http://stackoverflow.com/q/29104597/157882

Problem 1: does not work as per Servlet 12.1. It does merely an exact match and wildcards are not supported. It's also nowhere in JSF 2.2 specification documented how exactly this should be used in faces-config.xml.

Problem 2: During generating action URL, is not compared against final action URL, but against JSF view ID, causing failures when there's a virtual URL based mapping like .faces or /faces/.

Another non-related problem 3: the current approach is inefficient. It's for every single view checked on a per-request basis while it could easily be (lazily) checked and stored in view/facelet metadata on an application wide basis.

Affected Versions

[2.2]

[eclipse-faces-bot]

@glassfishrobot Commented
Reported by @BalusC

[eclipse-faces-bot]

@glassfishrobot Commented
This issue was imported from java.net JIRA JAVASERVERFACES_SPEC_PUBLIC-1369

[eclipse-faces-bot]

• Issue Imported From: <protected-views><url-pattern> does not work as per Servlet 12.1 and is compared against JSF view ID instead of request URL javaee/javaserverfaces-spec#1369
• Original Issue Raised By:@glassfishrobot
• Original Issue Assigned To: Unassigned

[BalusC]

This is actually as per spec: eclipse-ee4j/mojarra#5503

The cause of all this confusion/ambiguity is that view IDs of protected views are registered in faces-config.xml in entries named <url-pattern> instead of for example <view-id> and hereby unintentionally creating the impression that they need to represent URL patterns as defined in Servlet spec 12.1. But as per the Faces spec the value of the <url-pattern> entry must actually represent view ID not URL pattern.