Friday, April 11, 2014

RichFaces Security Advisory CVE-2014-0335

RichFaces

A security vulnerability has been uncovered and resolved in RichFaces 4. Details of the vulnerability can be found in this Red Hat Errata document released for our WFK product. We have released a community micro release addressing this vulnerability, so please update your applications ASAP. Read below for a summary of the problem and some additional minor fixes included in this release.

To update to this release: You can download the distribution directly, or for maven users, increment the RichFaces version in your pom.xml to 4.3.6.Final. For more information on setting up a RichFaces 4 application, refer to our getting started guide.

The issue

The issue was reported and resolved through community efforts in RF-13250. Much thanks to Marcel Ĺ ebek for both investigating and patching this issue!

The vulnerability

The vulnerability manifests itself when malformed Atmosphere requests cause RichFaces to leak memory. This memory leak can be exploited via a large number of requests to a push-enabled RichFaces application leading to an out-of-memory error, and a corresponding DDoS on the underlying application server.

This 4.3.6.Final release of RichFaces no longer leaks memory leak when receiving malformed Atmosphere requests. Users are encouraged to update their deployed RichFaces applications, particularly those that are push-enabled.

Note: while we have included the patch in RichFaces 5, we have not shipped an update to the RichFaces 5.0.0.Alpha3 release. The fix will be present in an upcoming 5.0.0.Alpha4 release.

Other fixes

Check out the 4.3.6.Final release notes for a complete list of issues resolved in this release. The issues for the most part are stabilizations to our Photoalbum demo. However some noteworthy issues include:

  • RF-13531: selects: cannot select option on IE11

  • RF-13559: a4j:commandButton wrong actions performed

  • RF-13540: Websphere incarnation of MyFaces renders optimized resources multiple times

Next Steps

We are hard at work putting out a RichFaces 4.5 release to address JSF 2.2 compatibility with the RichFaces 4.x branch. This has necessitated we put RichFaces 5 development on hold, but we feel will be worth it to get JSF 2.2 support in a stable release sooner rather than later.


Tuesday, March 11, 2014

Hands on with the jQuery UI widget factory at DevNation

DevNation

I’m thrilled to be speaking the upcoming DevNation conference. DevNation is an Open Source Developer conference co-located with the Red Hat Summit. With the announced agenda and the co-location with Summit, the conference is shaping up to be quite the event!

I’ll be speaking about developing widgets with the jQuery UI widget factory. We’ll look at how the widget factory takes away much of the boiler plate when writing stateful jQuery plug-ins, statefulness that comes intrinsically when creating visual plug-ins. This talk is based off of the work we’ve been doing lately with RichWidgets. It’s a widely applicable topic, as the browser is the target for so many applications frameworks and languages.

I’m also really looking forward to participating in the Beer & BoF Mobile & Rich Client smack down. I participated in the BOF at the 2012 JBoss World, and it was a lot of fun. The guys behind a number of UI frameworks at JBoss get together in a no-holds barred smack down between the various framework. The tongue-in-cheek approach is entertaining, and the content discussed is very enlightening. Be sure to attend this BOF if you are curious how the various UI technologies stack up against each other.

While at the conference I look forward to attending a number of interesting looking sessions:

  • jQuery: Behind the JavaScript - Kris Borchers

  • Write your first Ceylon program with the language author - Gavin King

  • High Performance Reactive Applications with Vert.x - Tim Fox

  • Full stack Javascript from mobile to cloud - Grant Shipley

  • Mobile web development: workflow and best practises - Luke Holmquist

Finally let’s not forget the hacknight! Here’s a great chance to share a table with a group of developers and hack away on some OSS. From new contributors to old, all are welcome. Come and share your ideas and your code!

I look forward to meeting many folks at DevNation - feel free to track me down if there is anything you want to discuss, or even just to say hi!


Thursday, February 6, 2014

RichFaces 5.0.0.Alpha3 Release Announcement

RichFaces

RichFaces 5.0.0.Alpha3 has been released. With this third alpha release of RichFaces 5 we are providing compatibility with JSF 2.2. Go download WildFly and give the JSF 2.2 capabilities of this release a spin.

To try out this release: You can download the distribution directly, or for maven users, increment the RichFaces version in your pom.xml to 5.0.0.Alpha3. For more information on setting up a RichFaces application, refer to our getting started guide.

RichFaces 4 compatibility

We are keeping forward compatibility front of mind with an updated release of RichFaces UI 4.5.0.Alpha2. This release of the RichFaces 4 UI components has been updated to work with the latest RichFaces 5 core.

Release Notes

This release does not provide any new components, but rather focuses on JSF 2.2 compatibility. Looking through the issues resolved you can see both a number of component specific fixes as well as some framework "core" fixes.

Note: While this release adds support for JSF 2.2, you are still free to use RichFaces 5 with JSF 2.1

Bug

  • RF-11973 - rich:contextMenu - after ajax re-render of table contextMenu no longer works

  • RF-12813 - rich:panelMenuItem executes action even if disabled attribute evaluates to true

  • RF-12865 - Correct deferred partial response ending by leveraging PVC wrapper chain

  • RF-13040 - Examples don’t work on WildFly

  • RF-13041 - Metamer: demos throw NullPointerException

  • RF-13062 - r:validator stops working

  • RF-13093 - EPVC: ViewState must be written even for transient (stateless) views

  • RF-13168 - 3rd party JSF component disappears on RichFaces ajax refresh

  • RF-13197 - Input with name javax.faces.ViewState is not rendered after submit

  • RF-13198 - ITAutoRegisteredPushServlet fails with - Async is not supported for this request on WildFly80

  • RF-13199 - Framework tests does not include all needed classes to the deployment when deploying on WildFly

  • RF-13208 - Push: error "not well-formed" appears in browser console in Firefox - make messages a valid XML

  • RF-13239 - Popup panel: CSS class rf-pp-hdr contains invalid property repeat-x

  • RF-13252 - a4j:ajax includes jsf.js script twice

  • RF-13317 - ExtendedPartialViewContextImpl should specify correct javax.faces.ViewState id in startUpdate()

  • RF-13358 - rich:panelMenuGroup allowing actions executions even if originally disabled

  • RF-13369 - autocomplete problem in glassfish 4 with jsf 2.2

  • RF-13379 - Build on Travis fails due to NoClassDefFoundEx.: javax/servlet/Servlet (during framework resource optimization)

  • RF-13417 - Some warp-based framework tests fail on WildFly with exception Could not inject members

  • RF-13420 - Showcase - WARNING No mime type could be found for file fontawesome-webfont.woff is logged

  • RF-13444 - r:fileUpload throws IOException "Request prolog cannot be read"

  • RF-13455 - The rich:tabPanel no longer visits tab header facets while rendering a response.

  • RF-13472 - Action listener: binding doesn’t work

  • RF-13496 - StackOverflowError in RendererBase.encodeEnd

  • RF-13498 - Photoalbum - shutting down server with deployed app will throw JdbcSQLException:

  • RF-13508 - Deprecate reslib resource file - RF 4.5/5

  • RF-13513 - CollectionDataModel API is not available on pre-JSF 2.1 that poses backward compatibility problem

  • RF-13518 - Action Listener - invoking from composite component does not work

  • RF-13519 - Stackoverflow in CharRendererBase

  • RF-13520 - mediaOutput: NPE is thrown when used with CDI beans and JSF 2.2

Component Upgrade

  • RF-13432 - Upgrade framework build to JSF 2.2

  • RF-13438 - Update jboss-parent to 12

  • RF-13454 - Upgrade integration tests use of WildFly to 8.0.0.CR1

  • RF-13481 - Upgrade to Warp 1.0.0.Alpha6

Enhancement

  • RF-13278 - Add support for a header meta-component to the rich:tabPanel

  • RF-13307 - Support java.util.Collection in iteration components

  • RF-13314 - Deprecate reslib resource files

  • RF-13494 - Make the RichFaces RendererBase decode/encode* methods final

Task

  • RF-13248 - Switch RichFaces smoke tests to run on WildFly 8 by default

  • RF-13343 - Page Fragments: Re-implement setupFragmentFromWidget() methods using component options access

  • RF-13448 - Add javadoc to the SequenceIterationStatus class

  • RF-13517 - Mark all framework tests that requires JSF 2.2 with a new @Category(RequiresJSF22)

Next steps

We have begun work on RichFaces 5.0.0.Alpha4. Our fourth alpha release will provide some additional component migrations to the new RichWidget-based architecture and the associated Bootstrap-based style.


Tuesday, February 4, 2014

Presentation Tier Technology Survey

It’s feedback time! Developers today are presented with an abundance of options when selecting which technologies will form the basis of their applications. Even if we constrain ourselves to the presentation tier, that choices available are staggering. Technology providers then get to play the fun game of anticipating in which direction its users and customers are headed and make sure they are providing them with value.

To help us at JBoss better understand in which direction you are headed with your applications of today and tomorrow, we have prepared a quick 3-question survey on Presentation Tier technologies. Your taking the time to fill out this survey will help us tremendously in getting a better understanding of this problem, and help us make sure we are providing you the tools and capabilities you are looking for in building and delivering your applications.

Survey

Please fill out this quick 3-question survey to help us at JBoss better understand the presentation tier technologies you use when building your applications.


Monday, January 27, 2014

RichFaces 4.3.5.Final Release Announcement

RichFaces

We are happy to release an update to our stable branch with the release of RichFaces 4.3.5.Final. This 5th micro release of the RichFaces 4.3 release series provides a number of bug fixes while we concurrently work on RichFaces 5.

To try out this release: You can download the distribution directly, or for maven users, increment the RichFaces version in your pom.xml to 4.3.5.Final. For more information on setting up a RichFaces 4 application, refer to our getting started guide.

Release Highlights

This release resolves 50 issues, making RichFaces 4.3.5 a substantial bug-fix release. The issues themselves span a number of components and features, offering an overall increase in framework stability.

With this release we have brought back the Photoalbum demo from the RichFaces 3 project. We’ve enhanced the demo offering social media tie-ins to facebook and google plus. Check out the source code on github.

Bug

  • RF-11469 - autocomplete method does not resolve bean if ui:included and only one parameter provided

  • RF-11973 - rich:contextMenu - after ajax re-render of table contextMenu no longer works

  • RF-12811 - VDL Documentation: rich:calendar is missing attribute "maxlength"

  • RF-12813 - rich:panelMenuItem executes action even if disabled attribute evaluates to true

  • RF-13172 - rich:toolbarGroup location="right" doesn’t work if toolbarGroup location="left" contains not rendered values

  • RF-13208 - Push: error "not well-formed" appears in browser console in Firefox - make messages a valid XML

  • RF-13220 - Quickstart - Remove references to AS 7.1 in the RichFaces quickstarts

  • RF-13239 - Popup panel: CSS class rf-pp-hdr contains invalid property repeat-x

  • RF-13252 - a4j:ajax includes jsf.js script twice

  • RF-13257 - PhotoAlbum: uploading and deleting images

  • RF-13266 - mediaOutput not working anymore on Glassfish3 and EAP6.1

  • RF-13287 - rich:extendedDataTable column resizing with ajax loading not working properly

  • RF-13292 - Autocomplete: up and down arrow keys not working in Opera

  • RF-13298 - Richfaces BOM manages a non Maven Central dependency

  • RF-13342 - archetype-simpleapp: facelet with name title is not defined in template, but it is used in the sample

  • RF-13358 - rich:panelMenuGroup allowing actions executions even if originally disabled

  • RF-13455 - The rich:tabPanel no longer visits tab header facets while rendering a response.

  • RF-13464 - Photoalbum: bad positioning of progressBar for G+/FB login on Firefox

  • RF-13465 - Photoalbum: cannot run album slideshow when an image has been added

  • RF-13466 - Photoalbum: editor for creating comments has not visible toolbar

  • RF-13467 - Photoalbum: wrong selector in js function when selecting album from multiple album groups

  • RF-13468 - Photoalbum build fails with JDK 6

  • RF-13471 - Photoalbum: search: option for search in own albums is not visible when logged in

  • RF-13473 - Photoalbum: cannot open help for fileUpload and dataScroller

  • RF-13485 - Photoalbum: cannot login with FB account

  • RF-13486 - Photoalbum: viewing g+ albums improvements

  • RF-13487 - Photoalbum: viewing FB albums improvements

  • RF-13497 - Photoalbum: cannot add album via contextMenu

  • RF-13500 - Photoalbum: viewing Facebook albums throws exception

  • RF-13501 - PhotoAlbum: sharing a photo does not work, can not choose album

  • RF-13502 - Photoalbum: editing uploaded photo throws NPE

Component Upgrade

  • RF-13277 - Upgrade Atmosphere to 1.0.18

  • RF-13310 - Upgrade Graphene and Warp in 4.3 branch Enhancement

  • RF-13274 - Use QSTools:archetypeSync to keep the kitchensink archetype synchronized with the kithensink-rf quickstart

  • RF-13314 - Deprecate reslib resource files

  • RF-13439 - Photoalbum - update help section

  • RF-13462 - Photoalbum: improvements for adding album and album groups

  • RF-13463 - Photoalbum: improvements for adding images

  • RF-13479 - Re-organize files/folders in the top-level webapp folder

  • RF-13480 - Java package re-structure for the photoalbum demo

Epic

  • RF-13047 - Implement improvements to the photoalbum application

Feature Request

  • RF-12793 - Photoalbum improvements

  • RF-12949 - Create a set of Photoalbum smoke tests which will verify it starts and that the basic features works

  • RF-13227 - Prepare the RichFaces 4.3.x photoalbum for release

  • RF-13305 - Autocomplete: i must press button twice for popup window

  • RF-13306 - Autocomplete: initialize value from DOM (was: ignored API call .setValue(''))

Patch

  • RF-13268 - Typo in LookAheadObjectInputStream.java Task

  • RF-13404 - Port the RichFaces 5 improvements back to RichFaces 4.3

  • RF-13405 - Merge the photoalbum fixes from QE

  • RF-13509 - Add Photoalbum sources to RichFaces distribution

Moving forward

You will likely have noticed no mention of JSF 2.2 in this announcement. We are not at this time introducing JSF 2.2 support into our stable branch, but are rather doing so in the upcoming 5.0.0.Alpha3 release of RichFaces. Progress on RichFaces 5 has continued while we prepared the 4.3.5 release, and we have already committed a number of JSF 2.2 related fixes. Look for this release in the next week or two.


Wednesday, December 11, 2013

RichFaces 5.0.0.Alpha2 Release Announcement

RichFaces

RichFaces 5.0.0.Alpha2 is now available for download. This second alpha release of our RichFaces 5 effort is significant as it brings in our new component architecture, new components, a further refinement in our approach to testing, and the beginnings of a new look and feel. We’ll dive further into each of these topics below.

To try out this release: You can download the distribution directly, or for maven users, increment the RichFaces version in your pom.xml to 5.0.0.Alpha2. For more information on setting up a RichFaces application, refer to our getting started guide.

New Component Architecture

We’ve been planning a new component architecture for quite some time. We PoC’ed the concept last year, and we now have the groundwork in place to move full-steam ahead.

Our new component architecture is based on standalone javascript widgets loosely coupled to the JSF back-end via an event-based mechanism. Building JSF components on top of standalone javascript widgets has (among others) the following benefits:

  1. Reduced delivery-time on new components when re-using existing OSS widgets.

  2. Improved testability when testing widgets across many browser implementations/versions.

  3. Widget re-use across multiple web frameworks - allowing for poly-framework/polyglot web applications with a consistent L&F.

After delivering RichFaces 5.0.0.Alpha1 we went off and hid in a corner for a while to lay the foundation for the javascript work required to pull this off. We wanted to create a space where we could contribute our javascript development efforts in a true OSS manner and participate as closely as possible with upstream projects.

To this end we created RichWidgets, a pure javascript project that sits upstream of RichFaces, providing the javascript implementations of the RichFaces 5 set of components. Built with grunt and bower, and tested with karma and jasmine, the project should be easily accessible to all participating in the javascript development space, irrespective of the server-side framework/language with which they are trying to inter-operate.

Styled with Bootstrap and the Red Hat Common User Experience, and powered using the jQuery UI widget factory, RichWidgets provides users with both a consistent API and a consistent look-and-feel.

Checkout what we have so far by browsing the RichWidgets demo site, of by taking a look at the source code on GitHub. If you are still curious, learn more about RichWidgets in the RichWidgets 0.1 release announcement.

New Components

r:chart

The RichFaces 5 chart component was built by a GSoC student (Lukas Macko) using the above mentioned JSF component architecture. Built using the Flot charting library, the flot charts were first wrapped as RichWidgets to provide a consistent javascript API and L&F. Check out the RichWidgets demo of the charts widget.

The RichWidget charts were consumed by RichFaces, providing a first-class JSF component. The RichFaces chart component demo is currently shown in our old RichFaces 4 showcase - we are hard at work creating a new showcase specific to RichFaces 5.

r:autocomplete

The RichFaces autocomplete component has had a client-side rewrite using the RichWidgets approach. Starting with the jQuery UI autocomplete component, the RichWidget autocomplete widget was built-up to have the features and extension points required for RichFaces integration. The resulting RichWidget autocomplete widget demo shows well the capabilities of the autocomplete widget.

The RichWidget autocomplete widget was wrapped using the RichFaces CDK to provide another first-class JSF component. The JSF facelet API has been maintained wherever possible to make it easy to migrate to the new version of the component. You can see the RichFaces autocomplete component demo in the richfaces-latest showcase.

r:orderingList

In a similar manner to the r:autocomplete rewrite, the r:orderingList we re-implemented as a javascript widget, built on top of the jQuery UI sortable and selectable plug-ins. The RichWidget orderingList widget demo shows the new capabilities achieved with this widget rewrite, including support for dragging items to re-order them.

RichFaces 5 is consuming the orderingList widget via the RichFaces CDK, bringing these new capabilities to RichFaces/JSF applications. Visit the RichFaces orderingList component demo to see these capabilities in action.

r:pickList

The fourth and final new component available with RichFaces is the pickList component. Composed using two orderingList RichWidgets, the pickList also provides drag-and-drop between the source and target lists. Check out the RichWidgets demo of the pickList widget, and the RichFaces demo of the pickList component.

r:fileUpload

While not a new component, the fileUpload component has received a new "multi-file upload" feature thanks to a git pull request from Anthony O.. This addition to the r:fileUpload component allows a user to select multiple files at one time for uploading. Availble in RichFaces 5.0.0.Alpha2 and RichFaces UI 4.5.0.Alpha1.

Migrating applications

With a revision in the major version number, I know many of you are apprehensive about the overhead involved in migrating to Richfaces 5. We have taken your concerns to heart, and have worked heavily on porting the RichFaces 4 components to work the with the re-vamped RichFaces 5 core as a separate jar. We are releasing this as Richfaces UI 4.5.0.Alpha1. With this component set, you will be able to re-use the RichFaces 4 components in your Richfaces 5 application without any changes required to your facelet code. You can then migrate to the new RichFaces 5 components on an as needed basis.

To enable this feature, we’ve changed the RichFaces 5 facelet namespace to be non-conflicitng. If you have been using RichFaces 5.0.0.Alpha1, you’ll have to change your namespace.

As of RichFaces 5.0.0.Alpha2, the facelt namespace for components is:

xmlns:r="http://richfaces.org"

In a parallel effort, we are working to maintain the facelet API of the RichFaces 5 components to minimize any barrier to adoption of the new components. We are tracking any such API changes that we do make, and will make these notes available in our 5.0.0.Final release documentation.

Testing Components with Page Fragments

The RichFaces QE team has developed a set of Arquillian Graphene Page Fragments for use in testing our components. The neat thing about page fragments, is they componentize the testing model, allowing for easy code re-use. What do this mean for you as a RichFaces developer? You can use the RichFaces page fragments to test your own application, and write your tests to a high-level component API, without worrying about the underlying DOM implementation. If we update the DOM implementation of a component in a future release, we’ll update the page fragment with it. Your tests will not have to change to reflect the DOM change in any way!

This idea is truly revolutionary, and I look forward to see how you the RichFaces community adopt these page fragments, and where you will take them. Functional testing of enterprise web applications has never been so compelling!

Next Steps

You will likely have noticed the lack of a mention of JSF 2.2 in this release announcement. Unfortunately our plate was too full with this release to properly tackle JSF 2.2 support. We do however recognize this as important to many of you, particularly with WildFly 8 in a Beta stage. With this in mind we will make JSF 2.2 our primary focus for RichFaces 5.0.0.Alpha3, and will work to expedite its release. We will also continue with a release of our stable RichFaces 4.3 branch in the new year.


Wednesday, December 11, 2013

RichWidgets 0.1 Release Announcement

RichWidgets 0.1 is released and ready for download. The road to this first release was a long one, requiring us to get our first javascript project in order. Built with grunt, dependencies managed by bower, and our jasmine tests run by karma, RichWidgets is pure javascript project and as such should be equally accessible with all languages and frameworks targeting the web.

To try out this release: You can download the distribution directly, or for bower users, point your bower.json file to consume the richwidgets#0.1.0 library in the bower registry.

Design Choices

The RichWidgets widgets are designed to be used either standalone, or integrated with a web-framework. The widgets are built using the jQuery UI widget factory and styled with Bootstrap. Wherever possible we aim to consume existing OSS widgets (contributing back wherever possible!). By wrapping the upstream widgets with the jQuery UI widget factory, we aim to provide a set of responsive widgets with a well-defined life-cycle, a standard API, and a consistent look-and-feel.

Have a look at our demos to get a feel for how you can use our widgets in your application. Or, if you are a developer of a we framework, take a look at how we’ve wrapped RichWidgets in the RichFaces framework.

Widgets Available

This first release makes four widgets available:

Autocomplete widget

Based on the jQuery UI widget factory, the autocomplete widget comes pre-configured for a number of typical use cases. Have a look at the autocomplete widget demo to see how you can use the widget in your own application.

Charts widget

The charts widget builds on the upstream Flot library and provides the ability to create several types of charts, including: line, pie, and bar charts. Check out the charts widget demo to see some use cases for the various chart types.

Ordering list widget

The ordering list widget is a simple widget used for re-ordering items in a list. Built using the jQuery UI selectable and sortable plug-ins, the ordering list provides support for re-ordering items with either mouse clicks or via drag and drop. Check out the ordering list widget demo to see the ordering list in various configurations.

Pick list widget

The pick list widget is composed of two ordering lists, and items can be selected by placing them in the target list. Similarly to the ordering list, items can be moved by mouse clicks, or by drag and drop. The pick list demo shows the pick list in various configurations.

Next steps

We will likely have a 0.1.1 micro release fixing some bugs with the existing widgets while we concurrently work on some new widgets for our 0.2 release. We have some ideas about what we are targeting with the 0.2 release, but nothing is set in stone. Feel free to get involved and help take the project to where you want it to go!