jakarta.faces.ViewState as GET parameter

[pizzi80]

Describe the bug

The jakarta.faces.ViewState value is evaluated from GET parameters

is it a spec requirement?

can we make some check to avoid exceptions and ViewExpiredException?

To Reproduce

Exception https://showcase.omnifaces.org/?jakarta.faces.ViewState=1 https://showcase.omnifaces.org/?jakarta.faces.ViewState=-1 https://showcase.omnifaces.org/?jakarta.faces.ViewState=1234

ViewExpired https://showcase.omnifaces.org/?jakarta.faces.ViewState= https://showcase.omnifaces.org/?jakarta.faces.ViewState=1234:

Expected behavior

Do not process jakarta.faces.ViewState as GET parameter, Or avoid exceptions ...

[tandraschko]

in general RestoreViewPhase should be skipped on a GET request, right?

[BalusC]

The spec doesn't restrict it to a particular HTTP request method: https://jakarta.ee/specifications/platform/10/apidocs/jakarta/faces/render/responsestatemanager#isPostback(jakarta.faces.context.FacesContext)

I think this was a smart move of the initial spec authors and that the observed ViewExpiredExceptions on GET or whatever other request method needs to be dealt with separately. We can at most fix the StringIndexOutOfBoundsException in Mojarra's state manager as this is indeed considerable as a bug.