JSF 2.x Tip of the Day: Encoding Text for XML

I have a simple method to encode text to display inside an XML page, or to use inside other XML/JS for example SyntaxHighlighter.

XMLEncode

---

Clickjacking and Java EE: Some Practical Solutions

©Technology Personalized

Introduction

What is Clickjacking?

Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.
Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

- OWASP Clickjacking

What does this mean for Java EE developers?
 
We don't operate inside of a vacuum. HTML/JS technologies are the backbone of most EE applications. This makes them subject to this kind of attack just like any other HTML/JS technologies. In fact, we often abstract away a lot of the underlying HTML/JS from the developer, this can make us more susceptible to this kind of attack unless we are cognizant and diligent in applying defenses.

Fortunately, there are a number of simple things that developers can do to add additional layers of security to their applications in an unobtrusive way. Those methods include adding X-Frame-Options, and frame busting.

X-Frame-Options

The first solution is to add a header to our pages to offer a browser a "suggestion" on how to handle pages that contain frames. The options include DENY, SAMEORIGIN, and ALLOWFROM. The latter is a new addition and may not be supported. The DENY option advises the browser not to allow any content to be displayed if it comes inside a frame. The SAMEORIGIN option advises the browser to only display framed content, if the content is coming from the same origin as the original request. The ALLOWFROM option takes a parameter (URI) that advises that content from a given URI can be framed. As previously noted, this may not be supported on all browsers. You will need to examine your target browser for compliance. Make no assumptions about your users though. They will use a browser of convenience. The implementation of adding the header is simple. The OWASP has come-up with a simple filter to handle the X-Frame-Options.

Frame Busting

The second solution is simple too. It involves using CSS/JS to do something called "frame busting". There are a number of examples on the web. I would recommend that you examine them carefully. I have found that the code I use is simple, elegant, and does not leave a lot of room for attack vectors. This does not imply that it is invulnerable, but does provide a good defense.

In the frame busting method I use, the CSS sets the style attribute body{display:none !important;} on the <body /> tag of the page as soon as the page is loaded. This is followed by a JS function that checks to see if the page is inside a <frame />, if it is then it attempts to set the body as the top location. Thus it breaks the frame. If it is successful, it removes the body{display:none !important;}styling. Otherwise, the <body /> of page will not display. Simple.

Examples

I have created a NetBeans Maven project on Bitbucket: clickjacking-examples

The examples include comments and instructions to see the various issues, and possible solutions. Examples include HTML, JSF, and JSP pages. These examples were developed on GlassFish and tested on Apache Tomcat. The code for frame busting is included below for reference using JSF.

Frame Busting Code

---

References

• Clickjacking
• Clickjacking Defense Cheat Sheet
• Clickjacking Protection for Java EE (X-Frame-Options Filter)

JSF 2.2 Tip of the Day: Hidden Field Validation

Hidden Mines

Introduction

How often do you have validators on your hidden fields? I recently performed a security audit of an application that did not have validators associated with the hidden fields on the page. I suspect that the out of sight, out of mind mentality prevailed. Admittedly, I have often short circuited some development and put hidden fields in a JSF page without a validator. My expectation is that the data in the field would be used to provide information that may be needed by the application. However, if these fields have setters... and the results are stored in a database... I think you get the picture.

Methodology

I decided to create a more complex than really necessary example to show how to validate a <h:inputHidden /> field. In the example, you can enter names into an <h:inputText /> which will use JavaScript to update the hidden field. The validation will be activated on form submission. Additionally, a value change listener will update the planet name, and update the planet to the new planet. The validation will prevent putting in planets that don't exist in the enum for current Planets. You can confirm this by entering a bogus name, or poor Pluto that was kicked out of the planetary club.

Code

The code for this example was developed using NetBeans 8.0 IDE on GlassFish 4+ and Apache Tomcat 8+ using JSF 2.2 (Mojarra).

The code for the project can be downloaded from Bitbucket: hidden-field-validation

Planets.java

---

PlanetValidator.java

---

IndexBean.java

---

index.xhtml

---

JSF 2.2 Tip of the Day: JavaScript Popup Window with Dynamic URL Link

Introduction

There are times when you need to have a JavaScript popup window that opens to another URL based on user input.  The JavaScript is usually added to the onclick event on the JSF component. The dynamic link in JSF is more difficult to accomplish since binding the onclick using Expression Language (EL) is determined at page rendering time. As a result, this means that the JavaScript is not dynamic. As a result, the link is not dynamic either.

A Solution

I have created a project that has three examples that demonstrate the different types of JSF links including the dynamic link. The last example includes <f:param /> elements that are appended to the dynamic URL that is generated.

The dynamic example still uses the onclick event, but the JSF action performs a redirect of the newly opened window. Additionally, and of the parameters that are added to the JSF component are converted to query parameters and appended to the redirect URL.

The Apache Maven project created with NetBeans is located on BitBucket here: jsf-link-examples

The project was tested on GlassFish 4 using Mojarra  JSF 2.2, but the technique should work on other application servers and JSF 2.x versions.

Index.xhtml

---

IndexBean.java

---

JSF 2.2 Tip of the Day: Naughty Expression Language (EL)

Unexpected Effects

Many of you may know this already, but I was reminded the other day how this can catch even some of the most brilliant JSF developers. When you comment out a component in your xhtml page that has EL bindings, you may not be REALLY disabling it.
Expression Language (EL) is parsed and evaluated as the page is being rendered. As a result, any exposed EL syntax will be processed including functions which could have deleterious effects. For example, take a look at the following code, and guess what it will do.

So what happens?

Scary things happen....

1. It executes
2. Parser exception. The parser will try to find a property called doSomething
3. It will execute, please note that there is no <h:form/>. It is not required since we are evaluating the EL.
4. Parser exception. The parser will try to find a property called doSomethingElse

Sensei what do I do?

You have a couple of options. The first option is the easiest, and it is likely what you want anyway with your JSF pages. You can disable the comments. No need to transmit your development comments to the end users anyway. The second option is to add a - between the # and the { like this #-{indexBean.doSomethingElse()}.
The first option is handled by adding a configuration parameter to the web.xmlfile as shown below. Here is a more complete example: The result of the code is as follows:

The complete code example was developed using NetBeans 8.0 and GlassFish 4.0 on JDK 8. The code can be found here: auto-execute-el

JSF 2.2 Tip of the Day: Using JSF AJAX Events

Please wait...

Introduction

The JSF framework provides an easy to use AJAX event handling mechanism. The jsf.js library is included in Mojarra and MyFaces. There are two particular methods of interest: jsf.ajax.addOnError(callback) and jsf.ajax.addOnEvent(callback). I will be covering the latter handler.

The JsDoc does not really explain the jsf.ajax.addOnEvent(callback) code very well. Since it is Javascript, you can read it, but I think a simple example of its flexibility with some comments might work better.

Using the addOnEvent is very simple. You register the callback, and it gets called during the lifecycle. The important thing here to remember is that the callback must be a function. Otherwise, it will throw an error. You can control what event processing occurs during the lifecycle.

Events

The callback is invoked during the AJAX request and response lifecycle. The status passed to the callback are listed below.

Event	Description
begin	This is the start of the AJAX request.
complete	This is invoked right after AJAX response is returned.
success	This is invoked right after successful processing of AJAX response and update of HTML DOM.

Based on the status, we can take appropriate action on the AJAX event. A great example to demonstrate AJAX event handling is to provide feedback to the user to indicate the status of their request. I will demonstrate how to create an AJAX based progress loader to demonstrate the events.

Code

The code for our AJAX loader is very simple, and could be moved into a composite component if necessary. The NetBeans developed Maven project can be downloaded from the references section below.

index.xhtml

---

This code controls our progress bar by making changes to the CSS in DOM. The CSS idea is not mine, but it is clever. Here is the CSS.

loader.css

---

A simple CSS layout, and our Javascript callback to jsf.ajax.addOnEvent(callback) is all it takes to make a cool progress loader.

References

• jsf.js JsDoc
• ajax-loader-example

RichFaces 4.3.x Tip of the Day: Complex RichFaces Data Tables

Introduction

I have been working on JSF tables for the various projects I have been involved with over the years. Starting in 2012, I began looking at RichFaces <rich:dataTable /> for some projects at my day job. The research into how to handle a number of complex situations has been enlightening to say the least.

The table is the most complex component in HTML. It is seemingly boundless in its extensibility. You can have multi-column headers that span multiple rows, you can multi-row cells, or multi-column cells. Tables can be displayed left-to-right, or right-to-left, top-to-bottom and vice-versa. As a result, when developing components for JSF, or any component framework, decisions must be made on how to generate them.

A couple of the component frameworks like PrimeFaces, and RichFaces allow developers to create more complex tables with more ease. However there are limitations with each of these frameworks. We trade flexibility for consistency, and this is fine in most cases.

The demonstration code in this post is about getting some of the flexibility back, or taking advantage of the flexibility that comes with a framework like RichFaces. We will gain the flexibility back, but it is a function of complexity. The examples will show you techniques for doing the "same thing" in multiple ways. For example, sorting can be done on the server, client, or a combination of both.

The question is where we put the complex bits. The answer to that question depends on you as a developer. You need to examine the problem domain, and understand the limits to the techniques presented.

Solutions

Please let me confess something. I like building HTML objects programmatically. There I said it. In this case I am trading the ease of development for flexibility. The solutions below will demonstrate the different techniques for accomplishing the same functionality. Please examine the code carefully before discounting it. I spent a lot of time playing with it to make it look simple.

The code for this project was developed using NetBeans and Apache Maven. The code was tested on GlassFish 3.1.2.2 and 4.0. It should work on other application servers, but I have not tested it on other servers. This project assumes you are using NetBeans which includes a sample database that these examples require. If you are not using NetBeans, you will need to create your own database with sample data to display some of the tables.

The code can be downloaded from Bitbucket at the link below, or in the references section at the end of the post.

richfaces-tables-poc

Dynamic Data Table with Sorting

Dynamic Table with Sorting

This example uses the binding attribute of the <rich:dataTable /> to bind our table to a CDI @ManagedBean. The bean is responsible for generating the table programmatically, and returning it back to the page. The data is sortable by column.
As you can see the page is very simple. In fact, most of the page is plumbing and navigation. The <rich:dataTable /> is the smallest part of the page. The code to generate the table is much more complex.
As you can see we have traded simplicity in the page for complexity in the @ManagedBean. If you are satisfied with this technique, lets take a look at another one.

Dynamic Data Table with Sorting Revisited

Dynamic Table

This table uses the same dynamic binding as the example above on the JSF page, but uses helper utilities to create JSF components dynamically from a library that I have written. It is a separate project that you can download (Please see references). This reduces the chances for errors creating common components, but it is still a lot of code. To check our sorting, I have made a "random" data generator for the table data for the code to sort.
The more simplified code in the @ManagedBean is shown below.
The code above was written before I added more functionality to my jsf-utils project. The new methods would shorten this considerably, but it would still be fairly complex.

Dynamic Table using JSP/JSTL Tags with JSF

JSF/JSTL Dynamic Table

Let me start this example with a warning. If you are using JSP/JSTL tags in your JSF pages, you may encounter very bad behavior. This technique should only be used as a last resort. I will not labor a point. If you don't understand why this is a bad idea, take a look at this post for links: JSF 2.x Tip of the Day: Great Blog Posts Explaining JSTL vs. JSF.
In this example, I will generate the rows and columns using <c:forEach />. This transfers a lot of the complexity to the page and away from the @ManagedBean. Since we are using <c:forEach />, our mechanism for sorting has to change. I used Query jquery.tablesorter.js to allow sorting of the headers.
As you can see we have much simpler code in the page bean. It looks like what you would expect for a normal JSF data table.

Complex Data Table Design

Complex Table Design

This table has a lot of really cool features, but the code is complex in the page, and the page bean is relatively simple.

Conclusion

RichFaces supports complex table designs, and produces nice results. The amount of work required to create dynamic data tables depends on the technique chosen, and limitations on the data being presented. There is no "one good way" to create data tables. Suffice to say that the easiest path should be chosen.

References

• richfaces-tables-poc Apache Maven project
• jsf-utils
• JSF 2.x Tip of the Day: Great Blog Posts Explaining JSTL vs. JSF
• RichFaces
• NetBeans IDE

JSF 2.x: Nested Templates, Decorators, Fragments, and Includes

Ugly for Illustrative Purpose

I was looking at some JSF pages that I had been playing with to see about using decorators, fragments, etc. I thought someone might find it instructional, so I thought I would publish it before deleting the project. It demonstrates using a combination of methods to composite a JSF page into a cohesive unit.

DecoratedPage.xhtml

---

decoratedTable.xhtml

---

unorderedListTemplate.xhtml

---

listElements.xhtml

---

JSF 2.x Tip of the Day: Custom JSF AJAX Error Handling on Client

Introduction

One of the holes in JSF, in my professional judgement, is the lack of really good exception handling on the client for AJAX exceptions. A number of client frameworks like PrimeFaces, OmniFaces, and RichFaces attempt to cleanup for this shortcoming, it is still a deficiency.

The capabilities are present to make AJAX exception handling more robust. The "chemistry" is present in the framework, but it is not really standardized.

In this short example, I am demonstrating how to use the jsf.ajax.addOnError functionality to make client exception handling better. We will display at a minimum, an alert to let them know something bad has happened to their request.

Additionally, I will demonstrate how to use XPath to get additional information from the response.

Solution

The solution is to add the following code to the <head />: of the JSF page, or to an external JavaScript file that is included in the head. In my case, I am using an external JS file called jsf.ajax.handler.js that is loaded using JSF <h:outputScript />.

Here are the contents of the file.

References

• jsf.ajax
• Introduction to using XPath in JavaScript
• jsf.ajax.handler.js Gist on GitHub

JSF 2.2.x Tip of the Day: Custom JSF Exception Page including the default Facelets Exception Page

If you want to create a custom exception page in JSF and include the default exception page, you simply need to include one line of code.

This is an example of a custom exception page using the code above.

The resulting page will look like the image below. Please note that we are including the default JSF exception page.

JSF 2.x Tip of the Day: RichFaces <rich:tree /> Component Examples

Custom TreeModel and TreeNode

I have some code that I originally wrote for a proof of concept for doing some RichFaces <rich:tree /> examples. The modified code in these examples demonstrate how to use custom TreeNode, and TreeDataModel implementations to make really nice and functional trees. The code for my generic TypedTreeNode and TreeNodesSequenceKeyModel are fully functional and can be used out of the box as the basis of your own tree implementations.

The examples include the model provided by RichFaces, my custom model (TreeNodesSequenceKeyModel), and a custom implementation of a node. The custom node is generic so you can pass in any object you like. I chose to use text, but you could use a more complex object.

The custom model, custom node, and tree are shown in the image on the right. This also has events being shown when a node is selected, or toggled.

The project was developed using NetBeans along with Apache Maven.

The project can be found on GitHub here: richfaces-tree

Note: The project has been moved to GitHub and has a couple of release versions.

• 1.0 - Initial Release using Java EE 6
• 1.2 - Updated functionality using Java EE 6
• 2.0 - Updated to RichFaces 4.5.14.Final and Java EE 7.

Code

TypedTreeNode.java

---

TreeNodesSequenceKeyModel.java

---

Article: How to get (almost) everything you ever wanted in one (not very) easy step

I finished reading the article How to get (almost) everything you ever wanted in one (not very) easy step by Richard Kennard in SD Times magazine. At first I thought it was going to go in a direction that I thought would be helpful for most developers who want to get involved in open source projects, or just become more involved in their respective development communities. My hope was quickly dashed. Don't get me wrong, the article is good, but most folks will not be able to take this approach. 

Richard's approach is to find something that you can turn in to a doctoral thesis, and work on your Ph.D. The article then covers how Richard did this himself.  Richard's passion is a project called Metawidget. This is a really cool technology. In fact it was so cool, that as part of the JavaOne paper selection committee I strongly recommended it. The committee agreed, and Richard gave a talk about it at JavaOne a couple of years ago.

I like Richard's passion about putting in the extra mile to get something accomplished for you, and the community. I just want to make sure that people don't get lost in the idea of a Ph.D. as a minimum level of commitment.

I have an email from Ed Burns the specification lead for JSF. He is asking for assistance with Javadoc updates. This is for JSR-344 JSF 2.2. This is an example of something where you can make a difference without a lot of personal time expense, and may provide the push to continue into bigger and better things.

I sure could use some help in bringing the new Javadoc 7 style to the generated portion of the JSF spec [1].  Can anyone from the Adopt-a-JSR program help me out here?  The task would be very hands-on, as the generated portion of the spec uses several different kinds of documents as its source inputs.
Ed
[1]https://javaee.github.io/javaserverfaces-spec/

It can be something simple like this that would make the difference for a lot of people. 

Obviously, I like to blog which does not require a lot of time. Here is my secret about blogging... I forget things. My blog is a reminder of how to do things that I figure out, and need every so often. I know it may sound funny, but I often Google for something and get my own blog. Other times, I blog about articles which I find interesting. Like this article.

If you want to participate in any project, or technology just ask. The smart project owners/leads will find a place in their project for you. Eventually, you may lead your own project.