Skip to content

Faces issue 1590 improvements after testing in 4.0 and 4.1#5718

Merged
BalusC merged 23 commits intomasterfrom
faces_issue_1590_improvements_after_testing_in_4.0_and_4.1
Apr 28, 2026
Merged

Faces issue 1590 improvements after testing in 4.0 and 4.1#5718
BalusC merged 23 commits intomasterfrom
faces_issue_1590_improvements_after_testing_in_4.0_and_4.1

Conversation

@BalusC
Copy link
Copy Markdown
Contributor

@BalusC BalusC commented Apr 28, 2026
edited
Loading

Merge #5717 from 4.1 into 5.0.

Basically a round of jakartaee/faces#1590 hardening for issues discovered during #5606 in 4.0 branch.

cc: @jasondlee

jasondlee and others added 20 commits April 21, 2026 16:39
@jasondlee
Backport of CSP-related changes
d15db8a 
Backport from several Mojarra 5 commits
Backport Faces 5 TCK test of CSP for coverage in 4.0
@BalusC
Have Claude sync to Faces API 5.0 and Mojarra master branches and catch
d890b5a 
up inconsistencies in the backport
@BalusC
Sync Spec1590IT as well
d6c7cb3
@BalusC
Revert API changes and keep CSP impl-specific (with help of Claude)
de6c62d
@BalusC
Add missing backports from 4241c65 and 082789b with help of Claude;
46a1be8 
This change ensures that generated script elements are not rendered
nested inside the element but only after the element as nested script
elements violate html spec in case of <a> and <input> elements
@BalusC
Merge pull request #5606 from jasondlee/csp
3e498a4 
Backport of CSP-related changes
@BalusC
Merge #5606 from 4.0 into 4.1
54720bd
@mojarra-bot
Prepare release org.glassfish:mojarra-parent:4.0.16
146fe1e
@mojarra-bot
Prepare next development cycle for 4.0.17-SNAPSHOT
215b3fd
@BalusC
Cherrypicked 32c4302 from 5.0: Fixed `ReferenceError: "mojarra" is not
8c499b5 
defined` in corner case when mojarra.ael script needs to be rendered in
empty page without h:head/h:form/f:ajax
@BalusC
Merge pull request #5715 from eclipse-ee4j/4.0.16
8062aff 
4.0.16 has been released
@BalusC
Fixed ReferenceError: "mojarra" is not defined in corner case when
902948b 
mojarra.ael script needs to be rendered in empty page without
h:head/h:form/f:ajax
@BalusC
Merge remote-tracking branch 'origin/4.0' into 4.1
dee5ea9
@BalusC
Fix #5606: Restore YUI Compressor because 4.0 TCK still uses HtmlUnit
7ee6f74 
which doesn't at all like ES6; rewrite faces-uncompressed.js to not
anymore use ES6 specific syntax so YUI Compressor can digest it; fix
backport regression in runStylesheets (2 lines were dropped?) and ensure
this is covered by faces.ajax.test.ts
@BalusC
Fix #5606: the h:commandLink script must be rendered AFTER end tag
790f631
@BalusC
Fix #5606: shouldWriteIdAttribute should always be true for UICommand
61bb884
@BalusC
Fix #5606: render="@ALL" must also run CSP scripts
846f274
@BalusC
Fix #5606: this one is a real Mojarra bug which only surfaced after CSP
09efd70 
backport, below is Claude's observation:

Under server-side state saving, ServerSideStateHelper.writeState calls
externalContext.getSession(true) at WriteBehindStateWriter.flushToWriter
time. If the rendered output already exceeds the response buffer (e.g.
the CSP backport in 4.0.17 emits an extra
<script>mojarra.ael(...)</script> per command, roughly doubling per-link
bytes), the response is committed before flushToWriter runs,
getSession(true) then fails with `IllegalStateException: Cannot create a
session after the response has been committed`, aborting the render
mid-form, so </form> and the jakarta.faces.ViewState hidden input never
reach the client.

FaceletViewHandlingStrategy already had a pre-render getSession() guard
for exactly this reason, but it was strict-equality on
STATE_SAVING_METHOD_SERVER, which disagreed with the helper-selection
rule in ResponseStateManagerImpl (anything not
STATE_SAVING_METHOD_CLIENT → ServerSideStateHelper). Configurations
where STATE_SAVING_METHOD is unset or contains an unresolved placeholder
(e.g. ${webapp.stateSavingMethod}) silently used the server helper but
skipped the pre-create.

Fix isServerStateSaving() to mirror the helper-selection rule
(!STATE_SAVING_METHOD_CLIENT.equalsIgnoreCase(...)), and tighten the
pre-create to only fire when actually needed: non-transient view, no
existing session, server-side state saving, and the view contains at
least one UIForm (verified via a short-circuit visitTree). This avoids
gratuitous session creation for plain pages that have no form and would
not write state anyway, which previously caused JSESSIONID URL rewriting
side-effects.

Fixes Issue1817IT regression introduced by the CSP backport.
@BalusC
Fix #5606: Merge branch 'make_sure_csp_backport_passes_the_4.0_tck' into
8700308 
'make_sure_csp_backport_passes_the_4.1_tck'
@BalusC
Merge branch 'make_sure_csp_backport_passes_the_4.1_tck' into
8f535c1 
'faces_issue_1590_improvements_after_testing_in_4.0_and_4.1'
@BalusC BalusC requested a review from arjantijms April 28, 2026 14:59
@BalusC BalusC mentioned this pull request Apr 28, 2026
Merged
BalusC added 3 commits April 28, 2026 11:27
@BalusC
Fix a couple of failing tests caused by change in doEval after CSP
04d82a8 
backport; Closure Compiler needs to be explicitly instructed to emit
ES5-compatible faces.js
@BalusC
Merge branch 'make_sure_csp_backport_passes_the_4.1_tck' into
bdd358e 
faces_issue_1590_improvements_after_testing_in_4.0_and_4.1
@BalusC
Backport faces-uncompressed.js improvements done during 4.1
16b1d64
@BalusC BalusC merged commit 1f7e843 into master Apr 28, 2026
3 checks passed
@BalusC BalusC deleted the faces_issue_1590_improvements_after_testing_in_4.0_and_4.1 branch April 28, 2026 16:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jasondlee jasondlee jasondlee approved these changes

@arjantijms arjantijms Awaiting requested review from arjantijms

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BalusC @jasondlee @mojarra-bot