Passing additional params with <f:param/> to a <sf:commandLink/> does not work without javascript. [SWF-1318]

[spring-operator]

Sven Helmberger opened SWF-1318 and commented

The booking-faces example shows a way to pass additional parameters to an

in the file booking-faces/src/main/webapp/WEB-INF/flows/main/reviewHotels.xhtml:

This parameter is accessed in the accompanying flow at with booking-faces/src/main/webapp/WEB-INF/flows/main/main.xml \ \ \ \ The code rendered from above commandLink is \City, State\ \ \ which leads to a normal button being rendered without javascript that of course does not set any additional request parameters. So the request parameter is null without javascript and is inserted into a HSQL ORDER BY clause which leads to the HSQL exception org.hibernate.QueryException: could not resolve property: null of: org.springframework.webflow.samples.booking.Hotel [select h from org.springframework.webflow.samples.booking.Hotel h where lower(h.name) like '%' or lower(h.city) like '%' or lower(h.zip) like '%' or lower(h.address) like '%' order by h.null] (is there also a potential HSQL injection vulnerability here? I can't see a way to exploit that yet, but it is possible to inject arbitrary content into the HSQL statement) This issue seems to be very difficult to fix as there is no simple way to make this work. The button needs to use its own clientId for the JSF engine to resolve the correct action / transition. The only way I currently see is to retrieve the parameter name and value from the JSF component tree and offer another way to access it besides ${requestParameters.paramName} The bug is prioritized as critical because the "Must work without javascript" requirements for public sector projects in Germany. --- **Issue Links:** - #535 Implement the sort functionality in booking-faces sample in a degradable manner

[spring-operator]

Jeremy Grelle commented

Yes, this is a known problem, that there is no way for to work without JavaScript. A number of approaches have been considered, but as you suggest, none of them are quite sufficient because you end up losing the ability to bind to the parameters using a "#{requestParameters.paramName}" style expression. We will continue to search for ways to address this.

This does point to another issue, that where we are using in the above example, we probably could implement this in a properly degradable way through a combination of and if we were to interpret an eventId request parameter the way we do with Spring MVC requests. I have opened a separate issue (SWF-891) to address this in the short term.

[spring-operator]

Sven Helmberger commented

For now we are using a special ActionListener. It finds all chilren of the source component and stores them as a map in the flashScope.

[spring-operator]

Christoph commented

Hi Sven,

could you please explain to me how you solved the problem, using an ActionListener? I'm working for a german institute and we are planing to use SWF + Facelets for our new project, but with links only working with javascript enabled we will not be able to use it :( We tried for 3 full days now, to get the parameters into our requestcontext but didn't succeed at all.

Thanks in advance, Christoph

[spring-operator]

Sven Helmberger commented

It goes something like this:

public class MyActionListener implements javax.faces.event.ActionListener { private ActionListener delegate;

public MyActionListener(ActionListener delegate)
{
    this.delegate = delegate;
}

public void processAction(ActionEvent event) throws AbortProcessingException
{
    UIComponent component = event.getComponent();

    Map<String,Object> map = new HashMap<String, Object>();

    for (UIComponent child : component.getChildren())
    {
        if (child instanceof UIParameter)
        {
            UIParameter param = (UIParameter)child;
            map.put(param.getName(), param.getValue());
        }
    }

    // map now contains all params below to source component

    delegate.processAction(event);
}

}

[spring-operator]

Sven Helmberger commented

my company is currently preparing the release of an open source framework called OpenSAGA (named after the SAGA standard of the german federal government). It will be avaiable in early 2010. Details via email ( thomas dot biskup at quinscape dot de )