UnsupportedOperationException in ExternalContext#isSecure when trying to set flash cookie

[javaserverfaces]

Since Mojarra 2.1.24, the ELFlash class calls isSecure() on the external context in order to determine whether the secure property should be set on the cookie (#2914). This call leads to an UnsupportedOperationException if the application extends ExternalContextWrapper without overriding the isSecure method. The isSecure method should have been defined in the wrapper class, which has been fixed in JSF 2.2.

This problem has already been fixed in the MOJARRA_2_1X_ROLLING branch, but I can only find the SVN commit, not a JIRA issue. The commit, which has been done on June 12th, 2014, refers to "bug18611757" (which I cannot find on the web).

I created this issue so that the bug will be visible in JIRA, with the correct fix version (I guess 2.1.30), and so that it will be mentioned in the release notes.

Affected Versions

[2.1.29]

[javaserverfaces]

Reported by marcelk

[javaserverfaces]

Issue-Links:
is related to
JAVASERVERFACES-3534
JAVASERVERFACES-3533

[javaserverfaces]

@edburns said:
Hello Marcel,

I wish I could give you a "best JIRA sleuthing" award because that is some fantastic research. Your observation is a symptom of a process problem Manfred and I have since fixed. Henceforth, all bug fixes that originate from the bugs filed in the Oracle internal bug tracker will have corresponding JIRA issues. Witness #3489, which I am working on now.

[javaserverfaces]

@edburns said:
From 2014-06-12:

Committed to branches/MOJARRA_2_1X_ROLLING:

SECTION: Modified Files

M jsf-ri/src/main/java/com/sun/faces/context/flash/ELFlash.java

• In setCookie() account for a problem introduced in 2.1 (fixed in 2.2):

In 2.1 we added ExternalContext.isSecure() but neglected to add
ExternalContextWrapper.isSecure(). Thus, parties that wrap
ExternalContext, yet fail to override isSecure() (and
setSessionMaxInterval() (also fixed in 2.2)) will get an
UnsupportedOperationException without this fix.

The fix is to inspect the return from ExternalContext.getRequest().
If it is a ServletRequest, just go ahead and call isSecure(). If not,
only call ExternalContext.isSecure() if the ExternalContext is not
wrapped.

A test/agnostic/flash/wrappedExtContext
A test/agnostic/flash/wrappedExtContext/nbactions.xml
A test/agnostic/flash/wrappedExtContext/src
A test/agnostic/flash/wrappedExtContext/src/test
A test/agnostic/flash/wrappedExtContext/src/test/java
A test/agnostic/flash/wrappedExtContext/src/test/java/com
A test/agnostic/flash/wrappedExtContext/src/test/java/com/sun
A test/agnostic/flash/wrappedExtContext/src/test/java/com/sun/faces
A
test/agnostic/flash/wrappedExtContext/src/test/java/com/sun/faces/test
A
test/agnostic/flash/wrappedExtContext/src/test/java/com/sun/faces/test/agnostic
A
test/agnostic/flash/wrappedExtContext/src/test/java/com/sun/faces/test/agnostic/flash
A
test/agnostic/flash/wrappedExtContext/src/test/java/com/sun/faces/test/agnostic/flash/wrappedExtContext
A
test/agnostic/flash/wrappedExtContext/src/test/java/com/sun/faces/test/agnostic/flash/wrappedExtContext/Issue18611757IT.java
A test/agnostic/flash/wrappedExtContext/src/main
A test/agnostic/flash/wrappedExtContext/src/main/resources
A test/agnostic/flash/wrappedExtContext/src/main/webapp
A test/agnostic/flash/wrappedExtContext/src/main/webapp/first.xhtml
A test/agnostic/flash/wrappedExtContext/src/main/webapp/second.xhtml
A test/agnostic/flash/wrappedExtContext/src/main/webapp/WEB-INF
A test/agnostic/flash/wrappedExtContext/src/main/webapp/WEB-INF/web.xml
A
test/agnostic/flash/wrappedExtContext/src/main/webapp/WEB-INF/glassfish-web.xml
A
test/agnostic/flash/wrappedExtContext/src/main/webapp/WEB-INF/faces-config.xml

A test/agnostic/flash/wrappedExtContext/src/main/java
A test/agnostic/flash/wrappedExtContext/src/main/java/cic1440b
A
test/agnostic/flash/wrappedExtContext/src/main/java/cic1440b/MyPortletRequest.
java
A
test/agnostic/flash/wrappedExtContext/src/main/java/cic1440b/MyExternalContext.java
A
test/agnostic/flash/wrappedExtContext/src/main/java/cic1440b/Cic1440bBean.java

A
test/agnostic/flash/wrappedExtContext/src/main/java/cic1440b/MyExternalContextFactory.java
A test/agnostic/flash/wrappedExtContext/pom.xml
M test/agnostic/flash/pom.xml

• New test. Way more work than the actual fix, but necessary on such an
  old code line.
  Sending jsf-ri/src/main/java/com/sun/faces/context/flash/ELFlash.java
  Sending test/agnostic/flash/pom.xml
  Adding test/agnostic/flash/wrappedExtContext
  Adding test/agnostic/flash/wrappedExtContext/nbactions.xml
  Adding test/agnostic/flash/wrappedExtContext/pom.xml
  Adding test/agnostic/flash/wrappedExtContext/src
  Adding test/agnostic/flash/wrappedExtContext/src/main
  Adding test/agnostic/flash/wrappedExtContext/src/main/java
  Adding test/agnostic/flash/wrappedExtContext/src/main/java/cic1440b
  Adding
  test/agnostic/flash/wrappedExtContext/src/main/java/cic1440b/Cic1440bBean.java

Adding
test/agnostic/flash/wrappedExtContext/src/main/java/cic1440b/MyExternalContext.java
Adding
test/agnostic/flash/wrappedExtContext/src/main/java/cic1440b/MyExternalContextFactory.java
Adding
test/agnostic/flash/wrappedExtContext/src/main/java/cic1440b/MyPortletRequest.
java
Adding test/agnostic/flash/wrappedExtContext/src/main/resources
Adding test/agnostic/flash/wrappedExtContext/src/main/webapp
Adding test/agnostic/flash/wrappedExtContext/src/main/webapp/WEB-INF
Adding
test/agnostic/flash/wrappedExtContext/src/main/webapp/WEB-INF/faces-config.xml

Adding
test/agnostic/flash/wrappedExtContext/src/main/webapp/WEB-INF/glassfish-web.xml
Adding
test/agnostic/flash/wrappedExtContext/src/main/webapp/WEB-INF/web.xml
Adding
test/agnostic/flash/wrappedExtContext/src/main/webapp/first.xhtmlAdding
test/agnostic/flash/wrappedExtContext/src/main/webapp/second.xhtml
Adding test/agnostic/flash/wrappedExtContext/src/test
Adding test/agnostic/flash/wrappedExtContext/src/test/java
Adding test/agnostic/flash/wrappedExtContext/src/test/java/com
Adding test/agnostic/flash/wrappedExtContext/src/test/java/com/sun
Adding
test/agnostic/flash/wrappedExtContext/src/test/java/com/sun/facesAdding
test/agnostic/flash/wrappedExtContext/src/test/java/com/sun/faces/test
Adding
test/agnostic/flash/wrappedExtContext/src/test/java/com/sun/faces/test/agnostic
Adding
test/agnostic/flash/wrappedExtContext/src/test/java/com/sun/faces/test/agnostic/flash
Adding
test/agnostic/flash/wrappedExtContext/src/test/java/com/sun/faces/test/agnostic/flash/wrappedExtContext
Adding
test/agnostic/flash/wrappedExtContext/src/test/java/com/sun/faces/test/agnostic/flash/wrappedExtContext/Issue18611757IT.java
Transmitting file data ..............
Committed revision 13370.

[javaserverfaces]

@edburns said:
Confirmed that as of today this fix is still on the 2.1.x branch and so it did go into 2.1.29, which released after the fix was committed.

[javaserverfaces]

Marked as fixed on Wednesday, November 19th 2014, 7:05:44 am

[javaserverfaces]

@edburns said:
Result of researching the branches that received this fix:

The fix is on 2.1.x.

The fix is not on the trunk.

The fix is not on 2.2.x.

The fix is not on branches/2.1.20.

The fix is not on branches/2.2.8.

[javaserverfaces]

marcelk said:
Thanks! Good to hear that all internally registrated bugs will be linked to JIRA issues.

By the way, I'm surprised that this fix will be ported to the trunk and to the 2.2.x. In JSF 2.2, the wrapper class has an implementation of isSecure, so I would think that this problem doesn't exist in JSF 2.2 and higher.

[javaserverfaces]

This issue was imported from java.net JIRA JAVASERVERFACES-3531