Return-Path: 
 <deltaspike-dev-return-4395-apmail-incubator-deltaspike-dev-archive=incubator.apache.org@incubator.apache.org>
X-Original-To: apmail-incubator-deltaspike-dev-archive@minotaur.apache.org
Delivered-To: apmail-incubator-deltaspike-dev-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 35702F31B
	for <apmail-incubator-deltaspike-dev-archive@minotaur.apache.org>;
 Wed, 24 Apr 2013 07:55:41 +0000 (UTC)
Received: (qmail 35446 invoked by uid 500); 24 Apr 2013 07:55:40 -0000
Delivered-To: apmail-incubator-deltaspike-dev-archive@incubator.apache.org
Received: (qmail 35206 invoked by uid 500); 24 Apr 2013 07:55:35 -0000
Mailing-List: contact deltaspike-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:deltaspike-dev-help@incubator.apache.org>
List-Unsubscribe: <mailto:deltaspike-dev-unsubscribe@incubator.apache.org>
List-Post: <mailto:deltaspike-dev@incubator.apache.org>
List-Id: <deltaspike-dev.incubator.apache.org>
Reply-To: deltaspike-dev@incubator.apache.org
Delivered-To: mailing list deltaspike-dev@incubator.apache.org
Received: (qmail 35161 invoked by uid 99); 24 Apr 2013 07:55:33 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Apr 2013 07:55:33 +0000
X-ASF-Spam-Status: No, hits=0.0 required=5.0
	tests=RCVD_IN_DNSWL_NONE
X-Spam-Check-By: apache.org
Received-SPF: error (athena.apache.org: local policy)
Received: from [212.82.109.132] (HELO nm25.bullet.mail.ird.yahoo.com)
 (212.82.109.132)
    by apache.org (qpsmtpd/0.29) with SMTP; Wed, 24 Apr 2013 07:55:28 +0000
Received: from [77.238.189.50] by nm25.bullet.mail.ird.yahoo.com with NNFMP;
 24 Apr 2013 07:54:46 -0000
Received: from [212.82.98.109] by tm3.bullet.mail.ird.yahoo.com with NNFMP;
 24 Apr 2013 07:54:46 -0000
Received: from [127.0.0.1] by omp1046.mail.ir2.yahoo.com with NNFMP;
 24 Apr 2013 07:54:46 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 876339.26710.bm@omp1046.mail.ir2.yahoo.com
Received: (qmail 46031 invoked by uid 60001); 24 Apr 2013 07:54:46 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.de; s=s1024;
 t=1366790086; bh=/qVKwdpM9H7MO7vBC6frokxR/+rS5dKDOsAwJM7rBA4=;
 h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;
 b=yE2elHIFus8dZqYCjmZg/u77146GEL5KvWyH9Ri7io/ykAI0a394YIQD/ygHnh8chWGLuysDdRDVvjM3OOwS6XW7Fo0y4RQDc9fg18vKQpTWxCHSxGMX520JJP41TaKRcUWe4X4Fua9GNkRRcstbpT5EMUw1p5Q3oTrYKONsk/E=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.de;
  h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding;
  b=k8fijiLUR60fyzU9IEiq0rJbpSvr1NePNESCxlGclfA1Huk/5UUo8pGneZWuIWHcI/1/OjLLfdzaFWMYbx84fwgT1Dc7fmHuAHTrwO1e6cFZw6xHJXbKgmQR33MaUwJrhJex+4R8xjyc++6FrZQdt+aCZrz4z9YQl+R0IWI/OWc=;
X-YMail-OSG: 5mz_ickVM1l3UUws8lVV2RgxL5jx9fngfJ_G6hHGNIGJ2SV
 PqLQ70s_Otu3QsMr2KRfYBc5XhN1mMLg1WhBdiY_Sf0FaDyRTYtk1oUf2pmh
 _CwI5xezEjeparjTcqwbqmLcwq8IWbFDjyAwHoHeJAiiqcYRzZuAmr8HvE8L
 fFVwhoIjVIGywGGgHEUZo58fSn613FeQ9lx_olfI0khnrsy8B.hhQfTe0Qxp
 CUPhefkftyZgFMsuyZ0_lQ4QyHBKVbiC5x_t_tECMMe2mefnFeXHG_JJ5zNy
 SReAzJKRUo_IaG3h7RLqdO0urOTrhfyj26_odxhK9aO.cd7lccN9LJ6qNh4l
 DYFNUnsDMbSx_eAU4Hk3E6DrU2YG1vZL4Q28zS5TF_fgLz87rPfhWGz08jb0
 aUyWLx5RP.WKmlQc_O_EfnK9GSBFhCKPpxzn1uNCBUwqoDF60AvaT4lgJ4iD
 .KAmIPFe_lb5wtgK7nFgny2DEVKdpb7M3x9pns0YE25XssaWIBdDbG6svHOY
 xIr0eYVZ6LXPuk0w8ytsYAw3Y1C__ZOnHsyNFLE_UvXBh2y691hi8TjBcv38
 crpRgGcXD3k3R_VaEBdczPyqEZi8kCzciQ9im1jJLtAwqLzV5J2DwaZlGWZ1
 AmP20P62uVZVt.xwOwdKrtnd0zFrvbeHpyyQh6aVngri9h.ub3lFB.b3KmAI
 AvtiLw3apQR5jPET_BUqLYeTQ5wVYtwPIhhpfMSnYqhBazaczaMGc93lM3cF
 nM5bGnvYlhEdJW8l6ka1S0kWTJR_7lVdv29MAl3TFJPOeSs8Y0GcrLVqVN8N
 q0AdPaFVeoi5qUANqnvXQqqG4W3QgzC1f168Iu2h192bpijpC3w--
Received: from [80.108.122.184] by web28906.mail.ir2.yahoo.com via HTTP;
 Wed, 24 Apr 2013 08:54:46 BST
X-Rocket-MIMEInfo: 
 002.001,SXQncyBub3QgZXhhY3RseSB0aGUgc2FtZSBidXQgZ29lcyBpbiB0aGUgc2FtZSBkaXJlY3Rpb24uCgpDdXJyZW50bHkgd2UgaGF2ZSA0ICdvcGVyYXRpb24gbW9kZXMnIGZvciBlYWNoIHJlcXVlc3QgKHNlZSBDbGllbnRXaW5kb3dDb25maWcuIAoKKiBOT05FOiBubyBAV2luZG93U2NvcGVkIHdpbGwgYmUgYXZhaWxhYmxlIGZvciB0aGlzIHJlcXVlc3QKCiogTEFaWTogdGhlIHdpbmRvd0lkIHdpbGwgYmUgdmVyaWZpZWQgYW5kIGVuc3VyZWQgb24gdGhlIGNsaWVudCBzaWRlIHZpYSBhIEphdmFTY3JpcHQgY28BMAEBAQE-
X-Mailer: YahooMailWebService/0.8.141.536
References: <1366560521.23403.YahooMailNeo@web28904.mail.ir2.yahoo.com>
	<CACLE=7MSrzvpTS+WQH+AL5KK7nRjS_TWiheH0TY60EycBQPCeg@mail.gmail.com>
	<1366574544.17445.YahooMailNeo@web28903.mail.ir2.yahoo.com>
	<CAEXeC6y5b6+HArzkVQKVjHeQ_EHyf9GeXL7Pb-o=i+ShAwVeTw@mail.gmail.com>
	<CAAuOd=UpcbjYrHiUCkLcDDV9A2RVwRbZ6+s1bMVa8HX_FZNC3Q@mail.gmail.com>
	<CAF9TksOcsWSg9i0fJB6BJwaZ04SbOuQ=Of0wxG6HG-v6FQ1Urw@mail.gmail.com>
	<1366736472.62966.YahooMailNeo@web28903.mail.ir2.yahoo.com>
	<CAF9TksPVntGeLEGY=NxE21Qwg021zXVW_dH7qAw+n_V25ty6dw@mail.gmail.com>
 <CAEXeC6zNc0GJUKFb-nMt6Sb+8L3L_tnUHzMSrdBm6MBMA=CVPg@mail.gmail.com>
Message-ID: <1366790086.45031.YahooMailNeo@web28906.mail.ir2.yahoo.com>
Date: Wed, 24 Apr 2013 08:54:46 +0100 (BST)
From: Mark Struberg <struberg@yahoo.de>
Reply-To: Mark Struberg <struberg@yahoo.de>
Subject: Re: windowId postback detection
To: "deltaspike-dev@incubator.apache.org"
 <deltaspike-dev@incubator.apache.org>
In-Reply-To: 
 <CAEXeC6zNc0GJUKFb-nMt6Sb+8L3L_tnUHzMSrdBm6MBMA=CVPg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
X-Virus-Checked: Checked by ClamAV on apache.org

It's not exactly the same but goes in the same direction.=0A=0ACurrently we=
 have 4 'operation modes' for each request (see ClientWindowConfig. =0A=0A*=
 NONE: no @WindowScoped will be available for this request=0A=0A* LAZY: the=
 windowId will be verified and ensured on the client side via a JavaScript =
comparison of the windowId and window.name and if it doesn't fit then we fo=
rce a page refresh with the correct windowId: CON: the first page hit will =
still have the old windowId and might touch beans from this other window.=
=0A=0A* CLIENTWINDOW: each GET request first gets an intermediate page (win=
dowhandler.html) which checks if the windowName and windowId fit. If not ->=
 new windowId will get requested. If they fit, we reload the page with the =
verified windowId. This 2nd request finally hits the xhtml page. The interm=
ediate windowhandler page takes around 1ms to get served and is blazingly f=
ast on the client. To prevent flickering if the target page takes some time=
 to render we kind of take a DOM screenshot from the original page and disp=
lay it on the intermediate page.=0A=0A* CUSTOM: A user might implement his =
own ClientWindow. Not sure though how we will integrate this. Currently doe=
sn't work :)=0A=0AThe user can choose them via his own ClientWindowConfig (=
or @Specializes DefaultClientWindowConfig) for each request. E.g. a Request=
 from an internal address in a company (in our case the university) gets th=
e ClientWndow (intermediate html page which ensures the windowId is correct=
) and external addresses get rendered directly. Bots and other crawlers sho=
uld also get the direct page for example.=0A=0ANow for the 'exclude region'=
 sometimes you don't like to decorate target links with the windowId, nor d=
o you like to store the DOM tree in the localstorage. E.g. if you show cust=
omer generated context which is not secured or if you have links to externa=
l pages.=0AThis is more or less a security mechanism.=0A=0ALieGrue,=0Astrub=
=0A=0A=0A=0A=0A=0A>________________________________=0A> From: Christian Kal=
tepoth <christian@kaltepoth.de>=0A>To: deltaspike-dev@incubator.apache.org =
=0A>Cc: Mark Struberg <struberg@yahoo.de> =0A>Sent: Tuesday, 23 April 2013,=
 23:15=0A>Subject: Re: windowId postback detection=0A> =0A>=0A>@Mark=0A>Wit=
h your 'exclude-area' idea you are referring to something like=0A>Orchestra=
's <o:separateConversationContext>, right? I think this could be a=0A>reall=
y interesting feature for some usecases and we=0A>should definitively suppo=
rt it.=0A>=0A>Regarding the auto detection for links that have to be decora=
ted: I'm not=0A>really sure if there is a need to explicitly configure a se=
t of domains for=0A>this. I guess the decorating is somehow similar to what=
=0A>HttpServletResponse.encodeURL() does and would even be implemented by=
=0A>wrapping it (or the corresponding stuff in ExternalContext), correct? S=
o=0A>why don't we simply decorate all links that go though encodeURL unless=
 we=0A>are in an exclude area case?=0A>=0A>Christian=0A>=0A>=0A>=0A>=0A>201=
3/4/23 Jason Porter <lightguard.jp@gmail.com>=0A>=0A>> Interesting idea. Wh=
at does the rest of the community think?=0A>>=0A>>=0A>> On Tue, Apr 23, 201=
3 at 11:01 AM, Mark Struberg <struberg@yahoo.de> wrote:=0A>>=0A>> > yes, we=
 will certainly need to do lots of testing with this new approach.=0A>> > B=
ut it seems much more in sync with the JSF-2.2 idea which requires to=0A>> =
> detect the proper windowId even before the restore-view phase. In the old=
=0A>> > CODI implementation we parsed it from a custom Component which we a=
dded=0A>> to=0A>> > the view tree ourselfs. maybe we can do both.=0A>> >=0A=
>> > There was also an idea about having an 'exclude-area'. Means a tag whi=
ch=0A>> > will exclude the containing GET links from using the browser tab=
=0A>> detection.=0A>> > We might also think about a mechanism to detect the=
 links which need to=0A>> > get decorated. Something like=0A>> >=0A>> > <ds=
:windowId domain=3D"this, someurl.com, otherurl.org"/>=0A>> > For other lin=
ks we will not add the windowId nor store away the dom tree=0A>> > for our =
'snapshot view' on the intermediate page.=0A>> >=0A>> > LieGrue,=0A>> > str=
ub=0A>> >=0A>> >=0A>> >=0A>> >=0A>> > ----- Original Message -----=0A>> > >=
 From: Jason Porter <lightguard.jp@gmail.com>=0A>> > > To: "deltaspike-dev@=
incubator.apache.org" <=0A>> > deltaspike-dev@incubator.apache.org>=0A>> > =
> Cc:=0A>> > > Sent: Tuesday, 23 April 2013, 18:22=0A>> > > Subject: Re: wi=
ndowId postback detection=0A>> > >=0A>> > > I'm good either way, but the cu=
stom component idea seems to be=0A>> consensus,=0A>> > > also if the user d=
oesn't want it they can always leave out the new=0A>> > > component.=0A>> >=
 >=0A>> > >=0A>> > > On Mon, Apr 22, 2013 at 12:38 AM, Thomas Andraschko <=
=0A>> > > andraschko.thomas@gmail.com> wrote:=0A>> > >=0A>> > >>=A0 +1 for =
the custom component=0A>> > >>=0A>> > >>=0A>> > >>=A0 2013/4/22 Christian K=
altepoth <christian@kaltepoth.de>=0A>> > >>=0A>> > >>=A0 > I like the idea =
of a custom component because it makes it more=0A>> > > explicit=0A>> > >>=
=A0 > what the component is used for and perhaps would even provide more=0A=
>> > >>=A0 control=0A>> > >>=A0 > over what is happening.=0A>> > >>=A0 >=0A=
>> > >>=A0 > So +1 for a custom component=0A>> > >>=A0 >=0A>> > >>=A0 >=0A>=
> > >>=A0 > 2013/4/21 Mark Struberg <struberg@yahoo.de>=0A>> > >>=A0 >=0A>>=
 > >>=A0 > > Gerhard brought up another alternative: simply provide a=0A>> =
> > component=0A>> > >>=A0 which=0A>> > >>=A0 > > doesn't render any html b=
ut adds the windowhandler.js and=0A>> > > stores the=0A>> > >>=A0 > > compo=
nent in the ViewRoot.=0A>> > >>=A0 > >=0A>> > >>=A0 > > LieGrue,=0A>> > >>=
=A0 > > strub=0A>> > >>=A0 > >=0A>> > >>=A0 > >=0A>> > >>=A0 > >=0A>> > >>=
=A0 > >=0A>> > >>=A0 > > ----- Original Message -----=0A>> > >>=A0 > > > Fr=
om: Romain Manni-Bucau <rmannibucau@gmail.com>=0A>> > >>=A0 > > > To: Mark =
Struberg <struberg@yahoo.de>;=0A>> > >>=A0 > > deltaspike-dev@incubator.apa=
che.org=0A>> > >>=A0 > > > Cc:=0A>> > >>=A0 > > > Sent: Sunday, 21 April 20=
13, 20:56=0A>> > >>=A0 > > > Subject: Re: windowId postback detection=0A>> =
> >>=A0 > > >=0A>> > >>=A0 > > > 1 sounds easier to track too=0A>> > >>=A0 =
> > > Le 21 avr. 2013 18:09, "Mark Struberg"=0A>> > > <struberg@yahoo.de> a=
=0A>> > >>=A0 > > > =E9crit :=0A>> > >>=A0 > > >=0A>> > >>=A0 > > >>=A0 Hi!=
=0A>> > >>=A0 > > >>=0A>> > >>=A0 > > >>=A0 There are technically 2 options=
 for extracting the=0A>> > > windowId on=0A>> > >>=A0 POSTs:=0A>> > >>=A0 >=
 > >>=0A>> > >>=A0 > > >>=A0 1.) setting a hidden UIOutput component in the=
 ViewRoot=0A>> > >>=A0 > > >>=0A>> > >>=A0 > > >>=0A>> > >>=A0 > > >>=A0 2.=
) provide a custom renderkit/ResponseStateManager=0A>> > >>=A0 > > >>=0A>> =
> >>=A0 > > >>=A0 I think 1.) is much easier. Any input?=0A>> > >>=A0 > > >=
>=0A>> > >>=A0 > > >>=A0 LIeGrue,=0A>> > >>=A0 > > >>=A0 strub=0A>> > >>=A0=
 > > >>=0A>> > >>=A0 > > >>=0A>> > >>=A0 > > >=0A>> > >>=A0 > >=0A>> > >>=
=A0 >=0A>> > >>=A0 >=0A>> > >>=A0 >=0A>> > >>=A0 > --=0A>> > >>=A0 > Christ=
ian Kaltepoth=0A>> > >>=A0 > Blog: http://blog.kaltepoth.de/=0A>> > >>=A0 >=
 Twitter: http://twitter.com/chkal=0A>> > >>=A0 > GitHub: https://github.co=
m/chkal=0A>> > >>=A0 >=0A>> > >>=0A>> > >=0A>> > >=0A>> > >=0A>> > > --=0A>=
> > > Jason Porter=0A>> > > http://en.gravatar.com/lightguardjp=0A>> > >=0A=
>> >=0A>>=0A>>=0A>>=0A>> --=0A>> Jason Porter=0A>> http://en.gravatar.com/l=
ightguardjp=0A>>=0A>=0A>=0A>=0A>-- =0A>Christian Kaltepoth=0A>Blog: http://=
blog.kaltepoth.de/=0A>Twitter: http://twitter.com/chkal=0A>GitHub: https://=
github.com/chkal=0A>=0A>