date:20120209

[jira] [Resolved] (TOBAGO-1089) Examples: Update to Jetty 7 and cleanup

2012-02-09 Thread Udo Schnurpfeil (Resolved) (JIRA)


 [ 
https://issues.apache.org/jira/browse/TOBAGO-1089?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Udo Schnurpfeil resolved TOBAGO-1089.
-

   Resolution: Fixed
Fix Version/s: 1.5.3

I've updated Jetty to version 7.4.5.v20110725
Using higher versions has been failed, but I haven't checked it yet. 

 Examples: Update to Jetty 7 and cleanup
 ---

 Key: TOBAGO-1089
 URL: https://issues.apache.org/jira/browse/TOBAGO-1089
 Project: MyFaces Tobago
  Issue Type: Task
  Components: Demo
Affects Versions: 1.5.2
Reporter: Udo Schnurpfeil
Assignee: Udo Schnurpfeil
Priority: Trivial
 Fix For: 1.5.3


 The Maven configuration can be simplified.
 Configuring jetty in the example parent pom, so every example can use SSL.
 Also removing the seam example. Its not properly maintained and CDI is used 
 inside of the demo example.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Created] (TOBAGO-1091) Closing a Popup with defaultCommand=true will flush checkboxes on the page

2012-02-09 Thread Rainer Rohloff (Created) (JIRA)

Closing a Popup with defaultCommand=true will flush checkboxes on the page


 Key: TOBAGO-1091
 URL: https://issues.apache.org/jira/browse/TOBAGO-1091
 Project: MyFaces Tobago
  Issue Type: Bug
  Components: Core
Affects Versions: 1.0.37
Reporter: Rainer Rohloff


Closing a Popup with defaultCommand=true will flush checkboxes on the page

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[SECURITY] CVE-2011-4367 Apache MyFaces information disclosure vulnerability

2012-02-09 Thread Leonardo Uribe


--

CVE-2011-4367: Apache MyFaces information disclosure vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
  MyFaces Core 2.0.1 to 2.0.11
  MyFaces Core 2.1.0 to 2.1.5
  Earlier versions are not affected

Description:

MyFaces JavaServer Faces (JSF) allows relative paths in the
javax.faces.resource 'ln' parameter or writing the url so the resource
name include '..' sequences . An attacker could use the security
vulnerability to view files that they should not be able to.

Mitigation:

Users of affected versions should apply one of the following mitigations:
MyFaces Core 2.0.x users should update to 2.0.12
MyFaces Core 2.1.x users should update to 2.1.6

Example:

In linux or similar systems:

http://hostname:port/context-root/faces/javax.faces.resource/web.xml?ln=../WEB-INF
http://hostname:port/context-root/faces/javax.faces.resource/../WEB-INF/web.xml

or in windows systems:

http://hostname:port/context-root/faces/javax.faces.resource/web.xml?ln=..\\WEB-INF
http://hostname:port/context-root/faces/javax.faces.resource/..\\WEB-INF/web.xml

The 'ln' parameter should not allow a relative path. In the above example
the contents of the web.xml are displayed in the response to the attacker.
The part of the url that derive the resource name should not allow '..' as
valid char sequence.

Credit: Issue reported by Paul Nicolucci thanks to the security team at IBM

References:

--

regards,

Leonardo Uribe

Re: PERF Discussion: Stateless JSF + HTML rendering

2012-02-09 Thread Leonardo Uribe

Some days ago Thomas Andraschko told on users list that he already
have a variant of this for MyFaces. Look the mail with subject:

Weird PlexusContainer object in ViewRoot

I think it is a good idea to put that code in myfaces commons or as an
extension (extensions/stateless-jsf ?). Since the license of the code
is ASL, it is possible to host it here. To make this possible I think
we should vote about create a module.

@Thomas: could you create an issue on myfaces issue tracker:

https://issues.apache.org/jira/browse/MYFACES

and attach the code you are working on, so the PMC can vote if it is
worth to create the subproject?

About performance of MyFaces code vs Mojarra: I think with the latest
changes MyFaces code looks very good. Yes, there is a lot of room from
improvement. I think it is possible to do things like trim spaces in
facelets compiler, remove !-- -- on the scripts (it is there because
very early versions of MyFaces do that), or optimize js rendering
using some myfaces specific code instead call javax.faces js api. But
note recent optimization in myfaces renderers has been improved its
base speed. If you exclude the javascript rendering part, MyFaces
renderers looks good.

I think we should let those optimizations for 2.2. The only thing left
to start working on that branch is reorganize shared modules (split
shared in two, cleanup and maybe create myfaces-impl-api submodule to
hold stuff like spi interfaces and other myfaces-impl api to be used
for integration points).

Right now, MyFaces 2.1.6 uses a lot less memory, and recent
improvements into its PSS algorithm has reduced the required state
size for views, making it very efficient.

regards,

Leonardo Uribe

2012/2/9 Werner Punz werner.p...@gmail.com:
Hia just a general discussion, regarding performance. One of the big
performance impacts is statefulness, now there has been a project

http://industrieit.com/blog/2011/11/stateless-jsf-high-performance-zero-per-request-memory-overhead/

This however is only for Mojarra, shouldnt we target something similar, one
day or the other it will be part of the spec, so targetting this early might
give the mojarra guys a push for going there also.

If you look at the numbers you can see there is a lot to gain by being able
to render pages stateless one way or the other.
I personally think in the typical extranet site, most pages are able to go
stateless and about 5-10% should be stateful, that way we could cover both.

Another performance issue I still have gripes with is the rendered code.
For a small page we on the average still have way more code rendered than
Mojarra, in some cases up to 40%. Which is a lot.

While we already did some work regarding our onclick event javascript calls,
there is still lots of room for optimization in our code.
For instance we render !-- -- with all linebreaks and spaces between link
and script tags intact.

Mojarra basically strips all unneeded stuff and renders only the script and
link tags without any blanks.

Werner

Re: PERF Discussion: Stateless JSF + HTML rendering

2012-02-09 Thread Kito Mann

Leonardo, does 2.0.6 share the same memory consumption improvements?
___

* Listen to the latest headlines in the JSF and Java EE newscast:
http://blogs.jsfcentral.com/roller/editorsdesk/category/JSF+and+Java+EE+Newscast
* Sign up for the JSFCentral newsletter: http://oi.vresp.com/?fid=ac048d0e17

On Thu, Feb 9, 2012 at 11:36 AM, Leonardo Uribe lu4...@gmail.com wrote:

Some days ago Thomas Andraschko told on users list that he already
have a variant of this for MyFaces. Look the mail with subject:

Weird PlexusContainer object in ViewRoot

@Thomas: could you create an issue on myfaces issue tracker:

https://issues.apache.org/jira/browse/MYFACES

and attach the code you are working on, so the PMC can vote if it is
worth to create the subproject?

Right now, MyFaces 2.1.6 uses a lot less memory, and recent
improvements into its PSS algorithm has reduced the required state
size for views, making it very efficient.

regards,

Leonardo Uribe

2012/2/9 Werner Punz werner.p...@gmail.com:
Hia just a general discussion, regarding performance. One of the big
performance impacts is statefulness, now there has been a project

http://industrieit.com/blog/2011/11/stateless-jsf-high-performance-zero-per-request-memory-overhead/

This however is only for Mojarra, shouldnt we target something similar,
one
day or the other it will be part of the spec, so targetting this early
might
give the mojarra guys a push for going there also.

If you look at the numbers you can see there is a lot to gain by being
able
to render pages stateless one way or the other.
I personally think in the typical extranet site, most pages are able to
go
stateless and about 5-10% should be stateful, that way we could cover
both.

Another performance issue I still have gripes with is the rendered code.
For a small page we on the average still have way more code rendered than
Mojarra, in some cases up to 40%. Which is a lot.

While we already did some work regarding our onclick event javascript
calls,
there is still lots of room for optimization in our code.
For instance we render !-- -- with all linebreaks and spaces between
link
and script tags intact.

Mojarra basically strips all unneeded stuff and renders only the script
and
link tags without any blanks.

Werner

Re: PERF Discussion: Stateless JSF + HTML rendering

2012-02-09 Thread Leonardo Uribe

Hi Kito

MyFaces Core 2.0.12 has the same improvements. All improvements done
has been applied on both branches, even if that means some overhead
associated. Compared with 2.0.11/2.1.5, the diference is significant.

regards,

Leonardo Uribe

2012/2/9 Kito Mann kito.m...@virtua.com:
Leonardo, does 2.0.6 share the same memory consumption improvements?
___

* Listen to the latest headlines in the JSF and Java EE
newscast: http://blogs.jsfcentral.com/roller/editorsdesk/category/JSF+and+Java+EE+Newscast
* Sign up for the JSFCentral newsletter: http://oi.vresp.com/?fid=ac048d0e17

On Thu, Feb 9, 2012 at 11:36 AM, Leonardo Uribe lu4...@gmail.com wrote:

Some days ago Thomas Andraschko told on users list that he already
have a variant of this for MyFaces. Look the mail with subject:

Weird PlexusContainer object in ViewRoot

@Thomas: could you create an issue on myfaces issue tracker:

https://issues.apache.org/jira/browse/MYFACES

and attach the code you are working on, so the PMC can vote if it is
worth to create the subproject?

Right now, MyFaces 2.1.6 uses a lot less memory, and recent
improvements into its PSS algorithm has reduced the required state
size for views, making it very efficient.

regards,

Leonardo Uribe

2012/2/9 Werner Punz werner.p...@gmail.com:
Hia just a general discussion, regarding performance. One of the big
performance impacts is statefulness, now there has been a project

http://industrieit.com/blog/2011/11/stateless-jsf-high-performance-zero-per-request-memory-overhead/

This however is only for Mojarra, shouldnt we target something similar,
one
day or the other it will be part of the spec, so targetting this early
might
give the mojarra guys a push for going there also.

If you look at the numbers you can see there is a lot to gain by being
able
to render pages stateless one way or the other.
I personally think in the typical extranet site, most pages are able to
go
stateless and about 5-10% should be stateful, that way we could cover
both.

Another performance issue I still have gripes with is the rendered code.
For a small page we on the average still have way more code rendered
than
Mojarra, in some cases up to 40%. Which is a lot.

While we already did some work regarding our onclick event javascript
calls,
there is still lots of room for optimization in our code.
For instance we render !-- -- with all linebreaks and spaces between
link
and script tags intact.

Mojarra basically strips all unneeded stuff and renders only the script
and
link tags without any blanks.

Werner

Re: PERF Discussion: Stateless JSF + HTML rendering

2012-02-09 Thread Kito Mann

Hello Leonardo,

That's great to hear. I'll have to try out the new release :-).

___

On Thu, Feb 9, 2012 at 11:56 AM, Leonardo Uribe lu4...@gmail.com wrote:

Hi Kito

regards,

Leonardo Uribe

2012/2/9 Kito Mann kito.m...@virtua.com:
Leonardo, does 2.0.6 share the same memory consumption improvements?
___

* Listen to the latest headlines in the JSF and Java EE
newscast:
http://blogs.jsfcentral.com/roller/editorsdesk/category/JSF+and+Java+EE+Newscast
* Sign up for the JSFCentral newsletter:
http://oi.vresp.com/?fid=ac048d0e17

On Thu, Feb 9, 2012 at 11:36 AM, Leonardo Uribe lu4...@gmail.com
wrote:

Some days ago Thomas Andraschko told on users list that he already
have a variant of this for MyFaces. Look the mail with subject:

Weird PlexusContainer object in ViewRoot

@Thomas: could you create an issue on myfaces issue tracker:

https://issues.apache.org/jira/browse/MYFACES

and attach the code you are working on, so the PMC can vote if it is
worth to create the subproject?

Right now, MyFaces 2.1.6 uses a lot less memory, and recent
improvements into its PSS algorithm has reduced the required state
size for views, making it very efficient.

regards,

Leonardo Uribe

2012/2/9 Werner Punz werner.p...@gmail.com:
Hia just a general discussion, regarding performance. One of the big
performance impacts is statefulness, now there has been a project

http://industrieit.com/blog/2011/11/stateless-jsf-high-performance-zero-per-request-memory-overhead/

This however is only for Mojarra, shouldnt we target something
similar,
one
day or the other it will be part of the spec, so targetting this early
might
give the mojarra guys a push for going there also.

If you look at the numbers you can see there is a lot to gain by being
able
to render pages stateless one way or the other.
I personally think in the typical extranet site, most pages are able
to
go
stateless and about 5-10% should be stateful, that way we could cover
both.

Another performance issue I still have gripes with is the rendered
code.
For a small page we on the average still have way more code rendered
than
Mojarra, in some cases up to 40%. Which is a lot.

While we already did some work regarding our onclick event javascript
calls,
there is still lots of room for optimization in our code.
For instance we render !-- -- with all linebreaks and spaces between
link
and script tags intact.

Mojarra basically strips all unneeded stuff and renders only the
script
and
link tags without any blanks.

Werner

Re: PERF Discussion: Stateless JSF + HTML rendering

2012-02-09 Thread Werner Punz

+1 Stateless definitely should be part of the codebase, I would not opt
for an extension more for an integrated feature here.

Extensions are so so, because they always are a little bit behind the core.

As for !-- -- Martin Koci told me, that removal code already is in, it
is just not enabled per default due to legacy browser support.

(you can turn it on via
context-param

param-nameorg.apache.myfaces.WRAP_SCRIPT_CONTENT_WITH_XML_COMMENT_TAG/param-name
param-valuefalse/param-value
/context-param
)
We probably should rethink if we already safely can make this our
default since some legacy browsers no can be considered safe not to be
supported anymore (ie 5.5 for instance and ie6 is slowly on its way out
except for Asia)

Werner

Am 09.02.12 17:36, schrieb Leonardo Uribe:

Some days ago Thomas Andraschko told on users list that he already
have a variant of this for MyFaces. Look the mail with subject:

Weird PlexusContainer object in ViewRoot

@Thomas: could you create an issue on myfaces issue tracker:

https://issues.apache.org/jira/browse/MYFACES

and attach the code you are working on, so the PMC can vote if it is
worth to create the subproject?

About performance of MyFaces code vs Mojarra: I think with the latest
changes MyFaces code looks very good. Yes, there is a lot of room from
improvement. I think it is possible to do things like trim spaces in
facelets compiler, remove!-- -- on the scripts (it is there because
very early versions of MyFaces do that), or optimize js rendering
using some myfaces specific code instead call javax.faces js api. But
note recent optimization in myfaces renderers has been improved its
base speed. If you exclude the javascript rendering part, MyFaces
renderers looks good.

Right now, MyFaces 2.1.6 uses a lot less memory, and recent
improvements into its PSS algorithm has reduced the required state
size for views, making it very efficient.

regards,

Leonardo Uribe

2012/2/9 Werner Punzwerner.p...@gmail.com:

Hia just a general discussion, regarding performance. One of the big
performance impacts is statefulness, now there has been a project

http://industrieit.com/blog/2011/11/stateless-jsf-high-performance-zero-per-request-memory-overhead/

Another performance issue I still have gripes with is the rendered code.
For a small page we on the average still have way more code rendered than
Mojarra, in some cases up to 40%. Which is a lot.

While we already did some work regarding our onclick event javascript calls,
there is still lots of room for optimization in our code.
For instance we render!-- -- with all linebreaks and spaces between link
and script tags intact.

Mojarra basically strips all unneeded stuff and renders only the script and
link tags without any blanks.

Werner

[jira] [Resolved] (TOBAGO-1089) Examples: Update to Jetty 7 and cleanup

[jira] [Created] (TOBAGO-1091) Closing a Popup with defaultCommand=true will flush checkboxes on the page

[SECURITY] CVE-2011-4367 Apache MyFaces information disclosure vulnerability

Re: PERF Discussion: Stateless JSF + HTML rendering

Re: PERF Discussion: Stateless JSF + HTML rendering

Re: PERF Discussion: Stateless JSF + HTML rendering

Re: PERF Discussion: Stateless JSF + HTML rendering

Re: PERF Discussion: Stateless JSF + HTML rendering

8 matches

Site Navigation

Mail list logo

Footer information