[ http://issues.apache.org/jira/browse/MYFACES-1467?page=comments#action_12442266 ] David Chandler commented on MYFACES-1467: -----------------------------------------
Agreed in part. It's actually a bug in the spec due to these conflicting requirements: Section 3.5.4 (Validation Processing) of the 1.1 spec states: "The reader-independent property required is a shorthand for the function of a required validator. If the value of this property is true and the component has no value, the component is marked invalid and a message is added..." This requirement is not met in the current impl when using a proxy tool or other mechanism to remove the name-value pair from the POST data. However, section 3.5.5 (Standard Validator Implementations) says: "Unless otherwise specified, components with a null local value cause the validation checking by this validator to be skipped." If you consider requiredness checking to be part of validation as the spec does, then these two sections are in conflict. The current code skips validation for null value as section 3.5.5 prescribes, but in doing so violates the requirement of 3.5.4, which results in the undesirable behavior that a required field may be omitted without detection simply by removing it altogether from the POST. Matthias and I worked on this together this afternoon at ApacheCon, so I expect him to post some more details shortly. > Validation doesn't run for required fields if submitted value is null > --------------------------------------------------------------------- > > Key: MYFACES-1467 > URL: http://issues.apache.org/jira/browse/MYFACES-1467 > Project: MyFaces Core > Issue Type: Bug > Components: General > Affects Versions: 1.2.0-SNAPSHOT, 1.1.5-SNAPSHOT > Reporter: David Chandler > Assigned To: Matthias Weßendorf > Attachments: patch.txt > > > A component with a required value will not fail validation as expected if the > submitted value is null. This issue is not seen normally because browsers > send the value for an empty text field as an empty string. That is, the POST > data for an empty field1 will contain the field name but no value, like > field1=&field2=something. However, if you use a man-in-the-middle proxy such > as Paros to remove "fieldname=" from the POST data, the submitted value will > be null. UIInput.validate() skips validation for null submitted values, but > since requiredness is also part of validation, the requiredness check gets > skipped, too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
