JSR-371: MVC 1.0 TCK Coverage

1.0

Contents

Chapter Summary
Section Summary
Coverage Detail
Unmatched Tests
Unversioned Tests
Test Group Summary

Coverage Distribution

 
 
 
 
 
 
 
 
 
 

Chapter Summary

Chapter Assertions Testable Total Tested Total Tests Tested
(problematic)
Tested
(working)
Coverage %
1 Introduction000000
2 Models, Views and Controllers33333352033100.00%
3 Data Binding8883108100.00%
4 Security15151550015100.00%
5 Events666606100.00%
6 Applications7771507100.00%
7 View Engines666906100.00%
8 Internationalization4441204100.00%
Total797979175079100.00%

Section Summary

SectionAssertionsTestableTotal TestedTested
(problematic)
Tested
(working)
Coverage %
1 Introduction [introduction]00000
1.1 Goals [goals]00000
1.2 Non-Goals [non_goals]00000
1.3 Additional Information [additional_information]00000
1.4 Terminology [terminology]00000
1.5 Conventions [conventions]00000
1.6 Specification Leads [spec_leads]00000
1.7 Expert Group Members [expert_group]00000
1.8 Contributors [contributors]00000
1.9 Acknowledgements [acks]00000
2 Models, Views and Controllers [mvc]00000
2.1 Controllers [controllers]111111011100.00%
2.1.1 Controller Instances [controller_instances]44404100.00%
2.1.2 Response [response]11101100.00%
2.1.3 Redirect and @RedirectScoped [redirect]77707100.00%
2.2 Models [models]44404100.00%
2.3 Views [views]11101100.00%
2.3.1 Building URIs in a View [mvc_uri]55505100.00%
3 Data Binding [data_binding]00000
3.1 Introduction [data_binding_intro]00000
3.2 @MvcBinding annotation [mvc_binding_annotation]22202100.00%
3.3 Error handling with BindingResult [error_handling_bindingresult]22202100.00%
3.4 Converting to Java types [converting_parameters]00000
3.4.1 Numeric types [numeric_types]22202100.00%
3.4.2 Boolean type [boolean_type]22202100.00%
3.4.3 Other types [other_types]00000
4 Security [security]00000
4.1 Introduction [security_introduction]00000
4.2 Cross-site Request Forgery [cross-site-request-forgery]131313013100.00%
4.3 Cross-site Scripting [cross-site-scripting]22202100.00%
5 Events [events]00000
5.1 Observers [observers]66606100.00%
6 Applications [applications]00000
6.1 MVC Applications [mvc_applications]22202100.00%
6.2 MVC Context [mvc_context]33303100.00%
6.3 Providers in MVC [providers_in_mvc]00000
6.4 Annotation Inheritance [annotation_inheritance]22202100.00%
6.5 Configuration in MVC [configuration_in_mvc]00000
7 View Engines [view_engines]00000
7.1 Introduction [view_engines_introduction]22202100.00%
7.2 Selection Algorithm [selection_algorithm]44404100.00%
7.3 FacesServlet [faces_servlet]00000
8 Internationalization [i18n]00000
8.1 Introduction [i18n_introduction]11101100.00%
8.2 Resolving Algorithm [i18n_resolving_algorithm]22202100.00%
8.3 Default Locale Resolver [i18n_default_resolver]11101100.00%

Coverage Detail

Colour Key
Assertion is covered
Assertion is not covered
Assertion test is unimplemented
Assertion is untestable

Section 2.1 - Controllers [controllers]

ctrl-method)

An MVC controller is a JAX-RS [5] resource method decorated by @Controller

Coverage

org.mvcspec.tck.tests.mvc.controller.annotation
Test archive name: 1bf7b388452f10d85ffd5b39e7427043f5e91
ControllerAnnotationTest.controllerMethod()
ctrl-class)

If this annotation is applied to a class, then all resource methods in it are regarded as controllers

Coverage

org.mvcspec.tck.tests.mvc.controller.annotation
Test archive name: 1bf7b388452f10d85ffd5b39e7427043f5e91
ControllerAnnotationTest.controllerClass()
ctrl-hybrid)

Using the @Controller annotation on a subset of methods defines a hybrid class in which certain methods are controllers and others are traditional JAX-RS resource methods.

Coverage

org.mvcspec.tck.tests.mvc.controller.annotation
Test archive name: 1bf7b388452f10d85ffd5b39e7427043f5e91
ControllerAnnotationTest.controllerHybrid()
return-string)

In particular, a return type of String is interpreted as a view path rather than text content

Coverage

org.mvcspec.tck.tests.mvc.controller.returntype
Test archive name: 6045ec8373d56955d551b928dcfd4199cf3b7221
ReturnTypeTest.stringReturnType()
default-mediatype)

Moreover, the default media type for a response is assumed to be text/html, but otherwise can be declared using @Produces just like in JAX-RS

Coverage

org.mvcspec.tck.tests.mvc.controller.mediatype
Test archive name: f842b4738a8051c14176753bed32b9adb57e35
MediaTypeTest.defaultMediaType()
Test archive name: f842b4738a8051c14176753bed32b9adb57e35
MediaTypeTest.customMediaType()
return-void)

A controller method that returns void is REQUIRED to be decorated by @View

Coverage

org.mvcspec.tck.tests.mvc.controller.returntype
Test archive name: 6045ec8373d56955d551b928dcfd4199cf3b7221
ReturnTypeTest.voidWithViewAnnotation()
Test archive name: 6045ec8373d56955d551b928dcfd4199cf3b7221
ReturnTypeTest.voidWithoutViewAnnotation()
return-string2)

A string returned is interpreted as a view path

Coverage

org.mvcspec.tck.tests.mvc.controller.returntype
Test archive name: 6045ec8373d56955d551b928dcfd4199cf3b7221
ReturnTypeTest.stringReturnType()
return-response)

A JAX-RS Response whose entity's type is one of the above

Coverage

org.mvcspec.tck.tests.mvc.controller.returntype
Test archive name: 6045ec8373d56955d551b928dcfd4199cf3b7221
ReturnTypeTest.responseWithStringEntity()
Test archive name: 6045ec8373d56955d551b928dcfd4199cf3b7221
ReturnTypeTest.responseWithNullEntity()
non-null-viewable)

The default view MUST be used only when such a non-void controller method returns a null value

Coverage

org.mvcspec.tck.tests.mvc.controller.returntype
Test archive name: 6045ec8373d56955d551b928dcfd4199cf3b7221
ReturnTypeTest.stringWithNullResult()
inject-param-types)

All parameter types injectable in JAX-RS resources are also available in controllers

Coverage

org.mvcspec.tck.tests.mvc.controller.inject
Test archive name: 5065da8d64483a49791a7c401711e4ff612fbc0
InjectParamsTest.injectPathParam()
Test archive name: 5065da8d64483a49791a7c401711e4ff612fbc0
InjectParamsTest.injectQueryParam()
Test archive name: 5065da8d64483a49791a7c401711e4ff612fbc0
InjectParamsTest.injectHeaderParam()
inject-field-props)

Likewise, injection of fields and properties is unrestricted and fully compatible with JAX-RS

Coverage

org.mvcspec.tck.tests.mvc.controller.inject
Test archive name: 5065da8d64483a49791a7c401711e4ff612fbc0
InjectParamsTest.injectFieldParam()
Test archive name: 5065da8d64483a49791a7c401711e4ff612fbc0
InjectParamsTest.injectPropertyParam()

Section 2.1.1 - Controller Instances [controller_instances]

ctrl-cdi)

MVC classes are REQUIRED to be CDI-managed beans only

Coverage

org.mvcspec.tck.tests.mvc.instances.cdi
Test archive name: 4be3737c3eeb84e6ad40f07dcf248276dcbee683
CdiControllerTest.controllerCdiInjection()
ctrl-cdi-hybrid)

It follows that a hybrid class that contains a mix of JAX-RS resource methods and MVC controllers must also be CDI managed

Coverage

org.mvcspec.tck.tests.mvc.instances.cdi
Test archive name: 4be3737c3eeb84e6ad40f07dcf248276dcbee683
CdiControllerTest.hybridCdiInjection()
request-scope-default)

Like in JAX-RS, the default resource class instance lifecycle is per-request

Coverage

org.mvcspec.tck.tests.mvc.instances.lifecycle
Test archive name: 1184f6b941a7b09abae7e946415f958b14a288a0
ControllerLifecycleTest.controllerRequestScope()
scope-proxy)

In particular, CDI may need to create proxies when, for example, a per-request instance is as a member of a per-application instance

Coverage

org.mvcspec.tck.tests.mvc.instances.proxy
Test archive name: 36e9f988b0226651821d2420623382bca463d124
InjectProxyTest.injectProxyIfRequired()

Section 2.1.2 - Response [response]

response-header)

Returning a Response object gives applications full access to all the parts in a response, including the headers

Coverage

org.mvcspec.tck.tests.mvc.response
Test archive name: b4874be6631fad835b0b83e1a695ff62ab9209a
ResponseFeaturesTest.responseAllowsSettingHeaders()
Test archive name: b4874be6631fad835b0b83e1a695ff62ab9209a
ResponseFeaturesTest.responseAllowsSettingCacheControl()

Section 2.1.3 - Redirect and @RedirectScoped [redirect]

redirect-response)

Controllers can redirect clients by returning a Response instance using the JAX-RS API

Coverage

org.mvcspec.tck.tests.mvc.redirect.send
Test archive name: c0ec278148df953c95c54dd4e92317ccd2e9ed9
SendRedirectTest.redirectViaResponse()
redirect-prefix)

MVC implementations are REQUIRED to support view paths prefixed by redirect: as a more concise way to trigger a client redirect

Coverage

org.mvcspec.tck.tests.mvc.redirect.send
Test archive name: c0ec278148df953c95c54dd4e92317ccd2e9ed9
SendRedirectTest.redirectViaRedirectPrefix()
redirect-relative)

In either case, relative paths are resolved relative to the JAX-RS application path

Coverage

org.mvcspec.tck.tests.mvc.redirect.send
Test archive name: c0ec278148df953c95c54dd4e92317ccd2e9ed9
SendRedirectTest.relativePathResponse()
Test archive name: c0ec278148df953c95c54dd4e92317ccd2e9ed9
SendRedirectTest.relativePathRedirectPrefix()
redirect-303-302)

MVC implementations SHOULD use the 303 (See other) status code for the redirect, but MAY prefer 302 (Found) if HTTP 1.0 compatibility is required.

Coverage

org.mvcspec.tck.tests.mvc.redirect.send
Test archive name: c0ec278148df953c95c54dd4e92317ccd2e9ed9
SendRedirectTest.usesCorrectStatusCide()
scope-request)

A bean in request scope is available only during the processing of a single request

Coverage

org.mvcspec.tck.tests.mvc.redirect.scope
Test archive name: 830a4857cedda83fdbd58cb96e7dfe3d5830
RedirectScopeTest.requestScope()
scope-session)

While a bean in session scope is available throughout an entire web session which can potentially span tens or even hundreds of requests

Coverage

org.mvcspec.tck.tests.mvc.redirect.scope
Test archive name: 830a4857cedda83fdbd58cb96e7dfe3d5830
RedirectScopeTest.sessionScope()
scope-redirect)

CDI beans in this scope are automatically created and destroyed by correlating a redirect and the request that follows

Coverage

org.mvcspec.tck.tests.mvc.redirect.scope
Test archive name: 830a4857cedda83fdbd58cb96e7dfe3d5830
RedirectScopeTest.redirectScope()

Section 2.2 - Models [models]

builtin-both-models)

MVC provides view engines for JSP and Facelets out of the box, which support both types

Coverage

org.mvcspec.tck.tests.mvc.models
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.cdiModelJsp()
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.mvcModelsJsp()
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.cdiModelFacelets()
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.mvcModelsFacelets()
cdi-model-inject)

Given that the view engine for JSPs supports @Named beans, all the controller needs to do is fill out the model and return the view

Coverage

org.mvcspec.tck.tests.mvc.models
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.cdiModelJsp()
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.cdiModelFacelets()
cdi-model-el)

This will allow the view to access the greeting using the EL expression

Coverage

org.mvcspec.tck.tests.mvc.models
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.cdiModelJsp()
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.cdiModelFacelets()
models-inject)

Controllers can also use the Models map to pass data to the view

Coverage

org.mvcspec.tck.tests.mvc.models
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.mvcModelsJsp()
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.mvcModelsFacelets()

Section 2.3 - Views [views]

jsp-el)

In a JSP, model properties are accessible via EL

Coverage

org.mvcspec.tck.tests.mvc.models
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.cdiModelJsp()
Test archive name: c3d6fc7a7d4e36147d5c989a3d5a1f373d06887
BuiltinEngineModelTest.mvcModelsJsp()

Section 2.3.1 - Building URIs in a View [mvc_uri]

el-access)

URIs for these controller methods can be created with an EL expression

Coverage

org.mvcspec.tck.tests.mvc.uri
Test archive name: a4d371f154ba0f04bcf78b16435d25839de39e4
UriBuildingTest.simpleUriViaEl()
class-method-name)

The controller method is referenced using the simple name of the controller class and the corresponding method name separated by #

Coverage

org.mvcspec.tck.tests.mvc.uri
Test archive name: a4d371f154ba0f04bcf78b16435d25839de39e4
UriBuildingTest.simpleUriViaEl()
param-map)

If the URI contains path, query or matrix parameters, concrete values can be supplied using a map

Coverage

org.mvcspec.tck.tests.mvc.uri
Test archive name: a4d371f154ba0f04bcf78b16435d25839de39e4
UriBuildingTest.mapPathParam()
Test archive name: a4d371f154ba0f04bcf78b16435d25839de39e4
UriBuildingTest.mapQueryParam()
Test archive name: a4d371f154ba0f04bcf78b16435d25839de39e4
UriBuildingTest.mapMatrixParam()
uri-encoding)

MVC implementations MUST apply the corresponding URI encoding rules depending on whether the value is used in a query, path or matrix parameter

Coverage

org.mvcspec.tck.tests.mvc.uri
Test archive name: a4d371f154ba0f04bcf78b16435d25839de39e4
UriBuildingTest.encodingPathParam()
Test archive name: a4d371f154ba0f04bcf78b16435d25839de39e4
UriBuildingTest.encodingQueryParam()
Test archive name: a4d371f154ba0f04bcf78b16435d25839de39e4
UriBuildingTest.encodingMatrixParam()
uri-ref)

Therefore, applications can use the @UriRef annotation to define a stable and unique name for a controller method

Coverage

org.mvcspec.tck.tests.mvc.uri
Test archive name: a4d371f154ba0f04bcf78b16435d25839de39e4
UriBuildingTest.supportsUriRef()

Section 3.2 - @MvcBinding annotation [mvc_binding_annotation]

mvc-binding)

You can enable the MVC specific data binding by adding a @MvcBinding annotation to the corresponding controller field or method parameter

Coverage

org.mvcspec.tck.tests.binding.base
Test archive name: f23854bd4e3e4b9102d257343f841a3eee5a92
BindingBaseTest.submitValidValue()
Test archive name: f23854bd4e3e4b9102d257343f841a3eee5a92
BindingBaseTest.submitValidationError()
Test archive name: f23854bd4e3e4b9102d257343f841a3eee5a92
BindingBaseTest.submitBindingError()
all-binding-annotations)

Therefore, MVC implementations MUST support @MvcBinding with all JAX-RS binding annotations

Coverage

org.mvcspec.tck.tests.binding.types
Test archive name: 87144339d0c61813e6916b00c0436b2fb3d29
BindingTypesTest.bindingWithPathParam()
Test archive name: 87144339d0c61813e6916b00c0436b2fb3d29
BindingTypesTest.bindingWithQueryParam()
Test archive name: 87144339d0c61813e6916b00c0436b2fb3d29
BindingTypesTest.bindingWithHeaderParam()
Test archive name: 87144339d0c61813e6916b00c0436b2fb3d29
BindingTypesTest.bindingWithFormParam()
Test archive name: 87144339d0c61813e6916b00c0436b2fb3d29
BindingTypesTest.bindingWithMatrixParam()
Test archive name: 87144339d0c61813e6916b00c0436b2fb3d29
BindingTypesTest.bindingWithCookieParam()

Section 3.3 - Error handling with BindingResult [error_handling_bindingresult]

invoke-controller)

An MVC implementation is required to invoke the matched controller method even if binding or validation errors occurred

Coverage

org.mvcspec.tck.tests.binding.base
Test archive name: f23854bd4e3e4b9102d257343f841a3eee5a92
BindingBaseTest.submitValidationError()
Test archive name: f23854bd4e3e4b9102d257343f841a3eee5a92
BindingBaseTest.submitBindingError()
inject-binding-result)

Controllers can inject a request-scoped instance of BindingResult to access details about potential data binding errors

Coverage

org.mvcspec.tck.tests.binding.base
Test archive name: f23854bd4e3e4b9102d257343f841a3eee5a92
BindingBaseTest.submitValidValue()
Test archive name: f23854bd4e3e4b9102d257343f841a3eee5a92
BindingBaseTest.submitValidationError()
Test archive name: f23854bd4e3e4b9102d257343f841a3eee5a92
BindingBaseTest.submitBindingError()

Section 3.4.1 - Numeric types [numeric_types]

convert-numeric)

When converting values to these numeric Java types, MVC implementations MUST use the current request locale for parsing non-empty strings

Coverage

org.mvcspec.tck.tests.binding.numeric
Test archive name: 17b14c61db8f702e6ff19df872965a05a30e75d
BindingBigIntegerTest.submitValidBigInteger()
Test archive name: a0431577c2a7e070fde7d3752dc4693c63bf7a
BindingBigDecimalTest.submitValidBigDecimal()
Test archive name: 18d17ab8b77f85efc4bb47388496cdef60b772
BindingDoubleTest.submitValidDouble()
Test archive name: f759282866e15f94adb3c4aa64f0d2f05ce3cc
BindingLongTest.submitValidLong()
Test archive name: 976dab30ef4f7b67dda7fbab1e9525d9413cc9a
BindingIntegerTest.submitValidInteger()
Test archive name: 92716e6da91e95c79cacc0c06f2582dadc8a2faf
BindingFloatTest.submitValidFloat()
convert-empty-numeric)

Empty strings are either converted to null or to the default value of the corresponding primitive data type

Coverage

org.mvcspec.tck.tests.binding.numeric
Test archive name: 17b14c61db8f702e6ff19df872965a05a30e75d
BindingBigIntegerTest.submitEmptyBigInteger()
Test archive name: a0431577c2a7e070fde7d3752dc4693c63bf7a
BindingBigDecimalTest.submitEmptyBigDecimal()
Test archive name: 18d17ab8b77f85efc4bb47388496cdef60b772
BindingDoubleTest.submitEmptyDouble()
Test archive name: f759282866e15f94adb3c4aa64f0d2f05ce3cc
BindingLongTest.submitEmptyLong()
Test archive name: 976dab30ef4f7b67dda7fbab1e9525d9413cc9a
BindingIntegerTest.submitEmptyInteger()
Test archive name: 92716e6da91e95c79cacc0c06f2582dadc8a2faf
BindingFloatTest.submitEmptyFloat()

Section 3.4.2 - Boolean type [boolean_type]

convert-boolean)

When an MVC implementation converts a non-empty string to a boolean primitive type or the java.lang.Boolean wrapper type, it MUST convert both true and on to the boolean true and all others strings to false

Coverage

org.mvcspec.tck.tests.binding.bool
Test archive name: eb5096db87f2418e3cc3db23aad513e16cca74d7
BindingBooleanTest.submitBooleanAsTrue()
Test archive name: eb5096db87f2418e3cc3db23aad513e16cca74d7
BindingBooleanTest.submitBooleanAsOn()
Test archive name: eb5096db87f2418e3cc3db23aad513e16cca74d7
BindingBooleanTest.submitBooleanAsFalse()
Test archive name: eb5096db87f2418e3cc3db23aad513e16cca74d7
BindingBooleanTest.submitBooleanAsFoobar()
convert-empty-boolean)

Empty strings are converted to false in case of the primitive boolean type and to null for the wrapper type

Coverage

org.mvcspec.tck.tests.binding.bool
Test archive name: eb5096db87f2418e3cc3db23aad513e16cca74d7
BindingBooleanTest.submitBooleanAsEmpty()

Section 4.2 - Cross-site Request Forgery [cross-site-request-forgery]

csrf-obj)

The Csrf object is available to applications via the injectable MvcContext type or in EL as mvc.csrf

Coverage

org.mvcspec.tck.tests.security.csrf.base
Test archive name: 5c49a58f6027e5635ef8f18b495d2cef7c98325
CsrfBaseTest.csrfInstanceViaContext()
Test archive name: 5c49a58f6027e5635ef8f18b495d2cef7c98325
CsrfBaseTest.csrfInstanceViaEL()
csrf-hidden-field)

Applications may use the Csrf object to inject a hidden field in a form that can be validated upon submission

Coverage

org.mvcspec.tck.tests.security.csrf.base
Test archive name: 5c49a58f6027e5635ef8f18b495d2cef7c98325
CsrfBaseTest.canInjectTokenIntoHiddenField()
org.mvcspec.tck.tests.security.csrf.verify
Test archive name: b39d5ba5faff15789b7c606a97734078918f3fcb
CsrfVerifyDefaultConfigTest.submitFormWithAnnotationAndValidToken()
Test archive name: b39d5ba5faff15789b7c606a97734078918f3fcb
CsrfVerifyDefaultConfigTest.submitFormWithoutAnnotationAndValidToken()
Test archive name: d6bddb36ee9ef5adc095f63428d8d9c3d5424ad2
CsrfVerifyExplicitConfigTest.submitFormWithAnnotationAndValidToken()
Test archive name: d6bddb36ee9ef5adc095f63428d8d9c3d5424ad2
CsrfVerifyExplicitConfigTest.submitFormWithoutAnnotationAndValidToken()
Test archive name: dcfac48e8928954192a0dc4484b4c7988b3d6e5
CsrfVerifyImplicitConfigTest.submitFormWithAnnotationAndValidToken()
Test archive name: dcfac48e8928954192a0dc4484b4c7988b3d6e5
CsrfVerifyImplicitConfigTest.submitFormWithoutAnnotationAndValidToken()
csrf-verify)

MVC implementations are REQUIRED to support CSRF tokens both as form fields (with the help of the application developer as shown above) and as HTTP headers

Coverage

org.mvcspec.tck.tests.security.csrf.header
Test archive name: 38a5ad52fd7a9b6744af110f9c6aa0a9a3171c
CsrfCustomHeaderTest.submitValidCustomTokenViaHeader()
Test archive name: 38a5ad52fd7a9b6744af110f9c6aa0a9a3171c
CsrfCustomHeaderTest.submitInvalidCustomTokenViaHeader()
Test archive name: 1af4f983b96b2c3a5e3eca2c57e0debddf79f675
CsrfDefaultHeaderTest.submitValidTokenViaForm()
Test archive name: 1af4f983b96b2c3a5e3eca2c57e0debddf79f675
CsrfDefaultHeaderTest.submitInvalidTokenViaForm()
Test archive name: 1af4f983b96b2c3a5e3eca2c57e0debddf79f675
CsrfDefaultHeaderTest.submitValidTokenViaHeader()
Test archive name: 1af4f983b96b2c3a5e3eca2c57e0debddf79f675
CsrfDefaultHeaderTest.submitInvalidTokenViaHeader()
csrf-opt-default)

The default value of this property is CsrfOptions.EXPLICIT

Coverage

org.mvcspec.tck.tests.security.csrf.verify
Test archive name: b39d5ba5faff15789b7c606a97734078918f3fcb
CsrfVerifyDefaultConfigTest.submitFormWithAnnotationAndValidToken()
Test archive name: b39d5ba5faff15789b7c606a97734078918f3fcb
CsrfVerifyDefaultConfigTest.submitFormWithAnnotationAndInvalidToken()
Test archive name: b39d5ba5faff15789b7c606a97734078918f3fcb
CsrfVerifyDefaultConfigTest.submitFormWithoutAnnotationAndValidToken()
Test archive name: b39d5ba5faff15789b7c606a97734078918f3fcb
CsrfVerifyDefaultConfigTest.submitFormWithoutAnnotationAndInvalidToken()
csrf-inject-header)

Any other value than CsrfOptions.OFF will automatically inject a CSRF token as an HTTP header

Coverage

org.mvcspec.tck.tests.security.csrf.base
Test archive name: 5c49a58f6027e5635ef8f18b495d2cef7c98325
CsrfBaseTest.tokenIsProvidedViaElAndResponseHeader()
csrf-custom-header-name)

The actual name of the header can be configured via the Csrf.CSRFHEADERNAME configuration property

Coverage

org.mvcspec.tck.tests.security.csrf.header
Test archive name: 38a5ad52fd7a9b6744af110f9c6aa0a9a3171c
CsrfCustomHeaderTest.submitValidCustomTokenViaHeader()
Test archive name: 38a5ad52fd7a9b6744af110f9c6aa0a9a3171c
CsrfCustomHeaderTest.submitInvalidCustomTokenViaHeader()
csrf-default-header-name)

The default name of the header is Csrf.DEFAULTCSRFHEADER_NAME

Coverage

org.mvcspec.tck.tests.security.csrf.header
Test archive name: 1af4f983b96b2c3a5e3eca2c57e0debddf79f675
CsrfDefaultHeaderTest.submitValidTokenViaHeader()
Test archive name: 1af4f983b96b2c3a5e3eca2c57e0debddf79f675
CsrfDefaultHeaderTest.submitInvalidTokenViaHeader()
csrf-implicit)

Automatic validation is enabled by setting this property to CsrfOptions.IMPLICIT, in which case all post requests must include either an HTTP header or a hidden field with the correct token

Coverage

org.mvcspec.tck.tests.security.csrf.verify
Test archive name: dcfac48e8928954192a0dc4484b4c7988b3d6e5
CsrfVerifyImplicitConfigTest.submitFormWithAnnotationAndValidToken()
Test archive name: dcfac48e8928954192a0dc4484b4c7988b3d6e5
CsrfVerifyImplicitConfigTest.submitFormWithAnnotationAndInvalidToken()
Test archive name: dcfac48e8928954192a0dc4484b4c7988b3d6e5
CsrfVerifyImplicitConfigTest.submitFormWithoutAnnotationAndValidToken()
Test archive name: dcfac48e8928954192a0dc4484b4c7988b3d6e5
CsrfVerifyImplicitConfigTest.submitFormWithoutAnnotationAndInvalidToken()
csrf-explict)

Finally, if the property is set to CsrfOptions.EXPLICIT then application developers must annotate controllers using @CsrfProtected to manually enable validation as shown in the following example

Coverage

org.mvcspec.tck.tests.security.csrf.verify
Test archive name: d6bddb36ee9ef5adc095f63428d8d9c3d5424ad2
CsrfVerifyExplicitConfigTest.submitFormWithAnnotationAndValidToken()
Test archive name: d6bddb36ee9ef5adc095f63428d8d9c3d5424ad2
CsrfVerifyExplicitConfigTest.submitFormWithAnnotationAndInvalidToken()
Test archive name: d6bddb36ee9ef5adc095f63428d8d9c3d5424ad2
CsrfVerifyExplicitConfigTest.submitFormWithoutAnnotationAndValidToken()
Test archive name: d6bddb36ee9ef5adc095f63428d8d9c3d5424ad2
CsrfVerifyExplicitConfigTest.submitFormWithoutAnnotationAndInvalidToken()
csrf-mediatype)

MVC implementations are required to support CSRF validation of tokens for controllers annotated with @POST and consuming the media type x-www-form-urlencoded

Coverage

org.mvcspec.tck.tests.security.csrf.verify
Test archive name: b39d5ba5faff15789b7c606a97734078918f3fcb
CsrfVerifyDefaultConfigTest.submitFormWithAnnotationAndValidToken()
Test archive name: b39d5ba5faff15789b7c606a97734078918f3fcb
CsrfVerifyDefaultConfigTest.submitFormWithoutAnnotationAndValidToken()
Test archive name: b39d5ba5faff15789b7c606a97734078918f3fcb
CsrfVerifyDefaultConfigTest.submitFormWithoutAnnotationAndInvalidToken()
Test archive name: d6bddb36ee9ef5adc095f63428d8d9c3d5424ad2
CsrfVerifyExplicitConfigTest.submitFormWithAnnotationAndValidToken()
Test archive name: d6bddb36ee9ef5adc095f63428d8d9c3d5424ad2
CsrfVerifyExplicitConfigTest.submitFormWithoutAnnotationAndValidToken()
Test archive name: d6bddb36ee9ef5adc095f63428d8d9c3d5424ad2
CsrfVerifyExplicitConfigTest.submitFormWithoutAnnotationAndInvalidToken()
Test archive name: dcfac48e8928954192a0dc4484b4c7988b3d6e5
CsrfVerifyImplicitConfigTest.submitFormWithAnnotationAndValidToken()
Test archive name: dcfac48e8928954192a0dc4484b4c7988b3d6e5
CsrfVerifyImplicitConfigTest.submitFormWithoutAnnotationAndValidToken()
csrf-exception)

The MVC implementation MUST throw a javax.mvc.security.CsrfValidationException

Coverage

org.mvcspec.tck.tests.security.csrf.exception
Test archive name: cdb373f222df505bab17630222513eedad5bcf1
CsrfCustomMapperTest.customExceptionMapper()
csrf-default-mapper)

The implementation MUST provide a default exception mapper for this exception which handles it by responding with a 403 (Forbidden) status code

Coverage

org.mvcspec.tck.tests.security.csrf.verify
Test archive name: b39d5ba5faff15789b7c606a97734078918f3fcb
CsrfVerifyDefaultConfigTest.submitFormWithAnnotationAndInvalidToken()
Test archive name: d6bddb36ee9ef5adc095f63428d8d9c3d5424ad2
CsrfVerifyExplicitConfigTest.submitFormWithAnnotationAndInvalidToken()
Test archive name: dcfac48e8928954192a0dc4484b4c7988b3d6e5
CsrfVerifyImplicitConfigTest.submitFormWithAnnotationAndInvalidToken()
Test archive name: dcfac48e8928954192a0dc4484b4c7988b3d6e5
CsrfVerifyImplicitConfigTest.submitFormWithoutAnnotationAndInvalidToken()
csrf-custom-mapper)

Applications MAY provide a custom exception mapper for CsrfValidationException to change this default behavior

Coverage

org.mvcspec.tck.tests.security.csrf.exception
Test archive name: cdb373f222df505bab17630222513eedad5bcf1
CsrfCustomMapperTest.customExceptionMapper()

Section 4.3 - Cross-site Scripting [cross-site-scripting]

xss-encoders-obj)

MVC applications can gain access to encoders through the MvcContext object

Coverage

org.mvcspec.tck.tests.security.xss
Test archive name: 33a980b7b1a3c865e2ff92fbaa686216cdef8af
EncodersTest.encodersInjectable()
Test archive name: 33a980b7b1a3c865e2ff92fbaa686216cdef8af
EncodersTest.encodersAvailableFromEl()
xss-escaping)

The methods defined by javax.mvc.security.Encoders can be used by applications to contextually encode data in an attempt to prevent XSS attacks

Coverage

org.mvcspec.tck.tests.security.xss
Test archive name: 33a980b7b1a3c865e2ff92fbaa686216cdef8af
EncodersTest.encodesHtml()
Test archive name: 33a980b7b1a3c865e2ff92fbaa686216cdef8af
EncodersTest.encodesJavaScript()

Section 5.1 - Observers [observers]

before-after-controller)

The events BeforeControllerEvent and AfterControllerEvent are fired around the invocation of a controller

Coverage

org.mvcspec.tck.tests.events
Test archive name: 59acaca9a4410a1384b6c74e12c505e8a202e5c
MvcEventsTest.aroundControllerEvents()
after-controller-exception)

Please note that AfterControllerEvent is always fired, even if the controller fails with an exception

Coverage

org.mvcspec.tck.tests.events
Test archive name: 59acaca9a4410a1384b6c74e12c505e8a202e5c
MvcEventsTest.afterControllerWithError()
before-after-view)

The events BeforeProcessViewEvent and AfterProcessViewEvent are fired around this call

Coverage

org.mvcspec.tck.tests.events
Test archive name: 59acaca9a4410a1384b6c74e12c505e8a202e5c
MvcEventsTest.aroundRenderView()
after-view-exception)

Please note that AfterProcessViewEvent is always fired, even if the view engine fails with an exception

Coverage

org.mvcspec.tck.tests.events
Test archive name: 59acaca9a4410a1384b6c74e12c505e8a202e5c
MvcEventsTest.afterViewWithError()
redirect-event)

The last event supported by MVC is ControllerRedirectEvent, which is fired just before the MVC implementation returns a redirect status code

Coverage

org.mvcspec.tck.tests.events
Test archive name: 59acaca9a4410a1384b6c74e12c505e8a202e5c
MvcEventsTest.redirectEvent()
redirect-after-controller-event)

Please note that this event MUST be fired after AfterControllerEvent

Coverage

org.mvcspec.tck.tests.events
Test archive name: 59acaca9a4410a1384b6c74e12c505e8a202e5c
MvcEventsTest.redirectEvent()

Section 6.1 - MVC Applications [mvc_applications]

application-class)

The controllers and providers that make up an application are configured via an application-supplied subclass of Application from JAX-RS

Coverage

org.mvcspec.tck.tests.application.app
Test archive name: 3f6146686b947014641d6dd83e69af2db35e626a
MvcAppWebXmlTest.testUrlSpaceViaAnnotation()
Test archive name: 9835a7d21f84bb5497ca2b56c0bbff61b38f66e
MvcAppAnnotationTest.testUrlSpaceViaAnnotation()
url-space)

The path in the application's URL space in which MVC controllers live must be specified either using the @ApplicationPath annotation on the application subclass or in the web.xml as part of the url-pattern element

Coverage

org.mvcspec.tck.tests.application.app
Test archive name: 3f6146686b947014641d6dd83e69af2db35e626a
MvcAppWebXmlTest.testUrlSpaceViaAnnotation()
Test archive name: 9835a7d21f84bb5497ca2b56c0bbff61b38f66e
MvcAppAnnotationTest.testUrlSpaceViaAnnotation()

Section 6.2 - MVC Context [mvc_context]

injection)

MVC applications can inject an instance of MvcContext to access configuration, security and path-related information

Coverage

org.mvcspec.tck.tests.application.context
Test archive name: 2a592716f4124f1c275a84b72791c54757eb8bf
MvcContextTest.testMvcContextInjected()
Test archive name: 2a592716f4124f1c275a84b72791c54757eb8bf
MvcContextTest.testMvcContextAccessInformation()
request-scope)

Instances of MvcContext are provided by implementations and are always in request scope

Coverage

org.mvcspec.tck.tests.application.context
Test archive name: 2a592716f4124f1c275a84b72791c54757eb8bf
MvcContextTest.testMvcContextScope()
el-access)

For convenience, the MvcContext instance is also available using the name mvc in EL

Coverage

org.mvcspec.tck.tests.application.context
Test archive name: 2a592716f4124f1c275a84b72791c54757eb8bf
MvcContextTest.testMvcContextAccessViaEl()

Section 6.4 - Annotation Inheritance [annotation_inheritance]

inheritance)

Such annotations are inherited by a corresponding sub-class or implementation class method provided that the method does not have any MVC or JAX-RS annotations of its own

Coverage

org.mvcspec.tck.tests.application.inheritance
Test archive name: ac1c8357f732698fe9dc97557f4895d85070359d
InheritanceTest.annotationsOnlyOnControllerMethod()
Test archive name: ac1c8357f732698fe9dc97557f4895d85070359d
InheritanceTest.annotationsOnlyOnSuperMethod()
Test archive name: ac1c8357f732698fe9dc97557f4895d85070359d
InheritanceTest.annotationsOnControllerAndSuperMethod()
Test archive name: ac1c8357f732698fe9dc97557f4895d85070359d
InheritanceTest.annotationsOnlyOnInterfaceMethod()
Test archive name: ac1c8357f732698fe9dc97557f4895d85070359d
InheritanceTest.annotationsOnControllerAndInterfaceMethod()
Test archive name: ac1c8357f732698fe9dc97557f4895d85070359d
InheritanceTest.annotationsOnSuperClassAndInterfaceMethod()
class-vs-iface)

Annotations on a super-class take precedence over those on an implemented interface

Coverage

org.mvcspec.tck.tests.application.inheritance
Test archive name: ac1c8357f732698fe9dc97557f4895d85070359d
InheritanceTest.annotationsOnSuperClassAndInterfaceMethod()

Section 7.1 - Introduction [view_engines_introduction]

jsp-facelets)

Implementations MUST provide built-in support for JSPs and Facelets view engines

Coverage

org.mvcspec.tck.tests.viewengine.base
Test archive name: ed3137fed4b1c4252dcb575d392b383c3177dd6
ViewEngineBaseTest.viewEngineJsp()
Test archive name: ed3137fed4b1c4252dcb575d392b383c3177dd6
ViewEngineBaseTest.viewEngineFacelets()
cdi-discovery)

Namely, any CDI bean that implements the javax.mvc.engine.ViewEngine interface MUST be considered as a possible target for processing by calling its supports method, discarding the engine if this method returns false

Coverage

org.mvcspec.tck.tests.viewengine.base
Test archive name: ed3137fed4b1c4252dcb575d392b383c3177dd6
ViewEngineBaseTest.viewEngineCustom()

Section 7.2 - Selection Algorithm [selection_algorithm]

selection-algo)

Implementations should perform the following steps while trying to find a suitable view engine for a view

Coverage

org.mvcspec.tck.tests.viewengine.algorithm
Test archive name: a3be7d629f8cb5758691c92b1dc28ae828e3dea2
ViewEngineAlgorithmTest.priorityOrderingCustomEngines()
Test archive name: a3be7d629f8cb5758691c92b1dc28ae828e3dea2
ViewEngineAlgorithmTest.overwriteBuiltinEngine()
models-binding)

In the case of the built-in view engines for JSPs and Facelets, entries in Models must be bound by calling HttpServletRequest.setAttribute(String, Object)

Coverage

org.mvcspec.tck.tests.viewengine.base
Test archive name: ed3137fed4b1c4252dcb575d392b383c3177dd6
ViewEngineBaseTest.viewEngineJsp()
Test archive name: ed3137fed4b1c4252dcb575d392b383c3177dd6
ViewEngineBaseTest.viewEngineFacelets()
path-relative)

If the path is relative, does not start with /, implementations MUST resolve view paths relative to the view folder, which defaults to /WEB-INF/views/

Coverage

org.mvcspec.tck.tests.viewengine.algorithm
Test archive name: a3be7d629f8cb5758691c92b1dc28ae828e3dea2
ViewEngineAlgorithmTest.relativeViewPath()
path-absolute)

If the path is absolute, no further processing is required

Coverage

org.mvcspec.tck.tests.viewengine.algorithm
Test archive name: a3be7d629f8cb5758691c92b1dc28ae828e3dea2
ViewEngineAlgorithmTest.absoluteViewPath()

Section 8.1 - Introduction [i18n_introduction]

mvc-context-locale)

The request locale is available from MvcContext and can be used by controllers, view engines and other components

Coverage

org.mvcspec.tck.tests.i18n.access
Test archive name: 5bcf994b1bb681f84d292dcad6249a7e885df13d
I18nAccessTest.accessLocaleFromController()
Test archive name: 5bcf994b1bb681f84d292dcad6249a7e885df13d
I18nAccessTest.accessLocaleFromView()
Test archive name: 5bcf994b1bb681f84d292dcad6249a7e885df13d
I18nAccessTest.accessLocaleFromViewEngine()

Section 8.2 - Resolving Algorithm [i18n_resolving_algorithm]

resolver-discovery)

Every CDI bean implementing the LocaleResolver interface and visible to the application participates in the locale resolving algorithm

Coverage

org.mvcspec.tck.tests.i18n.algorithm
Test archive name: 83fb187cc1033448fafe15222c7836e472b61b
I18nAlgorithmTest.highestPrioExecutedFirst()
Test archive name: 83fb187cc1033448fafe15222c7836e472b61b
I18nAlgorithmTest.continueChainForNullResult()
Test archive name: 83fb187cc1033448fafe15222c7836e472b61b
I18nAlgorithmTest.chainStopsForNonNullResult()
resolve-algorithm)

Implementations MUST use the following algorithm to resolve the request locale for each request

Coverage

org.mvcspec.tck.tests.i18n.algorithm
Test archive name: 83fb187cc1033448fafe15222c7836e472b61b
I18nAlgorithmTest.highestPrioExecutedFirst()
Test archive name: 83fb187cc1033448fafe15222c7836e472b61b
I18nAlgorithmTest.continueChainForNullResult()
Test archive name: 83fb187cc1033448fafe15222c7836e472b61b
I18nAlgorithmTest.chainStopsForNonNullResult()

Section 8.3 - Default Locale Resolver [i18n_default_resolver]

default-locale-resolver)

Every MVC implementation MUST provide a default locale resolver with a priority of 0 which resolves the request locale according to the following algorithm

Coverage

org.mvcspec.tck.tests.i18n.standard
Test archive name: b82a4886f881e94a2442981fbbf9cc93186c7
I18nStandardTest.singleLocaleInAcceptLanguageHeader()
Test archive name: b82a4886f881e94a2442981fbbf9cc93186c7
I18nStandardTest.multipleLocalesInAcceptLanguageHeader()
Test archive name: b82a4886f881e94a2442981fbbf9cc93186c7
I18nStandardTest.missingAcceptLanguageHeader()