[ https://issues.apache.org/jira/browse/MYFACES-4180?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16313064#comment-16313064 ]
Paul Nicolucci commented on MYFACES-4180: ----------------------------------------- There are three methods for getting views: 1) ResourceHandler.getViewResources(...) -> This uses the ResourceVisitOptions and we can determine to return meta-inf/web-inf depending on the value. 2) ViewHandler.getViews(...) -> This just calls through to ViewDeclarationLanguage.getViews(...): {code:java} Override public Stream<String> getViews(FacesContext facesContext, String path, int maxDepth, ViewVisitOption... options) { Stream concatenatedStream = null; for (ViewDeclarationLanguage vdl : _vdlFactory.getAllViewDeclarationLanguages()) { Stream stream = vdl.getViews(facesContext, path, maxDepth, options); if (concatenatedStream == null) { concatenatedStream = stream; } else { concatenatedStream = Stream.concat(concatenatedStream, stream); } } return concatenatedStream == null ? Stream.empty() : concatenatedStream; {code} 3) ViewDeclarationLanguage.getViews(...) -> This calls through to the ResourceHandler.getViewResources(...) and passes TOP_LEVEL_VIEWS_ONLY which with our fix will prevent views within meta-inf/web-inf from being returned. {code:java} /** * * @since 2.3 * @param facesContext * @param path * @param maxDepth * @param options * @return */ public Stream<java.lang.String> getViews(FacesContext facesContext, String path, int maxDepth, ViewVisitOption... options) { // Here by default we follow what spec javadoc says // "...This method works as if invoking it were equivalent to evaluating the expression: // getViewResources(facesContext, start, Integer.MAX_VALUE, options) ..." // The problem here is ViewVisitOption != ResourceVisitOption. But whatever return // getViews must always have TOP_LEVEL_VIEWS_ONLY, because otherwise it will return // everything (css, js, ...). There is ViewVisitOption.RETURN_AS_MINIMAL_IMPLICIT_OUTCOME, // but this is a filter on top of the stream. return facesContext.getApplication().getResourceHandler().getViewResources( facesContext, path, maxDepth, ResourceVisitOption.TOP_LEVEL_VIEWS_ONLY); {code} So in summary I think we are ok here. We can only get to web-inf/meta-inf if we call ResourceHandler.getViewResources and don't pass in the TOP_LEVEL_VIEWS_ONLY parameter. This as far as I can tell is the same behavior that is on Mojarra. > ResourceVisitOption.TOP_LEVEL_VIEWS_ONLY behavior different between MyFaces > and Mojarra > --------------------------------------------------------------------------------------- > > Key: MYFACES-4180 > URL: https://issues.apache.org/jira/browse/MYFACES-4180 > Project: MyFaces Core > Issue Type: Bug > Components: JSR-372 > Affects Versions: 2.3.0-beta > Reporter: Paul Nicolucci > Assignee: Paul Nicolucci > Fix For: 2.3.0 > > Attachments: MYFACES-4180.patch > > > See the following dev discussion: > http://mail-archives.apache.org/mod_mbox/myfaces-dev/201711.mbox/%3cof507ae5dc.a54b3314-on002581db.006603e5-852581db.00680...@notes.na.collabserv.com%3e > We need to determine what updates we want to make here and how best to make > them. -- This message was sent by Atlassian JIRA (v6.4.14#64029)