New Features of JavaServer Faces 2.2 in progress

Updated First May 2012.

JavaServer Faces 2.X

JavaServer Faces 2.X


    <f:viewAction action="#{someBean.someAction}" />

NAVIGATIONFinally, the Flow scope (Faces Flow) is here and is a big step towards dependency
on CDI. In JSF 2.0, one used sessionScoped beans to pass information through pages
or the ConversationScoped beans using CDI, but that was not enough complete as
the Spring Web Flowfor example.

public class SomBean { // ... }
<faces-config version="2.2" xmlns=""
<html xmlns=""
        <j:faces-flow-definition id="flow"/>


– Adding support for Ajax requests Queue control
– Adding support for Ajax file upload component

<h:form prependId="false" enctype="multipart/form-data">
    <!-- The new regular file upload component -->
    <h:inputFile id="fileUpload" value="#{someBean.file}" />
    <h:commandButton value="Upload" />


In JSF 2.2 injection will be possible in:
converters, validators, components, behaviors and much more artifacts.

Without the need to configure or declare anything else, this component can now be used on a JSF 2.2 Facelet as follows:

@FacesComponent(value="components.CustomComponent", createTag=true)
public class CustomComponent extends UIComponentBase {
    public String getFamily() {
        return "my.custom.component";
    public void encodeBegin(FacesContext context) throws IOException {

        String value = (String) getAttributes().get("value");

        if (value != null) {
            ResponseWriter writer = context.getResponseWriter();


<html xmlns=""
xmlns:test="" >
<test:customComponent value="test"/>

The presence of that annotation on a class automatically registers it as a Facelets resource resolver.
If a resolver is specified in both XML and via an annotation, the XML overrides the annotation as per the usual Java EE conventions.
If multiple annotated classes are found, the first one encountered is used and a warning is logged.
Before we had to specify a name for a FacesComponent like this:

public class Bar extends UIComponentBase {
    // ...

In JSF 2.2 the name can now be omitted for components, converters and validators as well, so the code shown above can become:

public class Bar extends UIComponentBase {
    // ...


Cross Site Request Forgery is an attack that lets users unknowingly do a request to a site where they are supposed to be logged-in, that has some side-effect that is most likely in some way beneficial to the attacker. GET based requests are most obvious here, but POST requests are just as vulnerable. JSF seems to have some implicit protection against this when state is saved on the server, since a post-back must contain a valid javax.faces.ViewStatehidden parameter. Contrary to earlier versions, this value seems sufficiently random in modern JSF implementations. Nevertheless, JSF 2.2 will contain additional/even stricter protection against this. Among others client state encryption is now on by default and there’s a token parameter for protection of non-postback views.


JSF 2.2 will introduce a javax.faces.model.CollectionDataModel in which UIData wraps an incoming value if it’s of type Collection. Collection is one of the last types being checked, so if the incoming value is a List the ListDataModeltakes precedence. The following are now the supported types:
  • null (becomes empty list)
  • javax.faces.model.DataModel
  • java.util.List
  • java.lang.Object[]
  • java.sql.ResultSet
  • javax.servlet.jsp.jstl.sql.Result
  • java.util.Collection new!
  • java.lang.Object (becomes ScalarDataModel)
Two different aspects of this will be supported in JSF 2.2:

  • Identification of an individual window: the Window Id
  • API and life-cyle awareness of the window concept

The programmer can configure the preferred method in web.xml via a context parameter:


The current draft implementation supports only field and none which is the default. Additional anticipated values are script and url.


Who’s using JSF?

Have you ever wondered what brands / institutions and/or businesses are using JSF? Check this pages for links:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s