| Chapter | Assertions | Testable | Total Tested | Total Tests | Tested (problematic) |
Tested (working) |
Coverage % |
|---|---|---|---|---|---|---|---|
| 1 Introduction | 0 | 0 | 0 | 0 | 0 | 0 | |
| 2 Models, Views and Controllers | 33 | 33 | 33 | 52 | 0 | 33 | 100.00% |
| 3 Data Binding | 8 | 8 | 8 | 31 | 0 | 8 | 100.00% |
| 4 Security | 15 | 15 | 15 | 50 | 0 | 15 | 100.00% |
| 5 Events | 6 | 6 | 6 | 6 | 0 | 6 | 100.00% |
| 6 Applications | 7 | 7 | 7 | 15 | 0 | 7 | 100.00% |
| 7 View Engines | 6 | 6 | 6 | 9 | 0 | 6 | 100.00% |
| 8 Internationalization | 4 | 4 | 4 | 12 | 0 | 4 | 100.00% |
| Total | 79 | 79 | 79 | 175 | 0 | 79 | 100.00% |
| Section | Assertions | Testable | Total Tested | Tested (problematic) | Tested (working) | Coverage % |
|---|---|---|---|---|---|---|
| 1 Introduction [introduction] | 0 | 0 | 0 | 0 | 0 | |
| 1.1 Goals [goals] | 0 | 0 | 0 | 0 | 0 | |
| 1.2 Non-Goals [non_goals] | 0 | 0 | 0 | 0 | 0 | |
| 1.3 Additional Information [additional_information] | 0 | 0 | 0 | 0 | 0 | |
| 1.4 Terminology [terminology] | 0 | 0 | 0 | 0 | 0 | |
| 1.5 Conventions [conventions] | 0 | 0 | 0 | 0 | 0 | |
| 1.6 Specification Leads [spec_leads] | 0 | 0 | 0 | 0 | 0 | |
| 1.7 Expert Group Members [expert_group] | 0 | 0 | 0 | 0 | 0 | |
| 1.8 Contributors [contributors] | 0 | 0 | 0 | 0 | 0 | |
| 1.9 Acknowledgements [acks] | 0 | 0 | 0 | 0 | 0 | |
| 2 Models, Views and Controllers [mvc] | 0 | 0 | 0 | 0 | 0 | |
| 2.1 Controllers [controllers] | 11 | 11 | 11 | 0 | 11 | 100.00% |
| 2.1.1 Controller Instances [controller_instances] | 4 | 4 | 4 | 0 | 4 | 100.00% |
| 2.1.2 Response [response] | 1 | 1 | 1 | 0 | 1 | 100.00% |
| 2.1.3 Redirect and @RedirectScoped [redirect] | 7 | 7 | 7 | 0 | 7 | 100.00% |
| 2.2 Models [models] | 4 | 4 | 4 | 0 | 4 | 100.00% |
| 2.3 Views [views] | 1 | 1 | 1 | 0 | 1 | 100.00% |
| 2.3.1 Building URIs in a View [mvc_uri] | 5 | 5 | 5 | 0 | 5 | 100.00% |
| 3 Data Binding [data_binding] | 0 | 0 | 0 | 0 | 0 | |
| 3.1 Introduction [data_binding_intro] | 0 | 0 | 0 | 0 | 0 | |
| 3.2 @MvcBinding annotation [mvc_binding_annotation] | 2 | 2 | 2 | 0 | 2 | 100.00% |
| 3.3 Error handling with BindingResult [error_handling_bindingresult] | 2 | 2 | 2 | 0 | 2 | 100.00% |
| 3.4 Converting to Java types [converting_parameters] | 0 | 0 | 0 | 0 | 0 | |
| 3.4.1 Numeric types [numeric_types] | 2 | 2 | 2 | 0 | 2 | 100.00% |
| 3.4.2 Boolean type [boolean_type] | 2 | 2 | 2 | 0 | 2 | 100.00% |
| 3.4.3 Other types [other_types] | 0 | 0 | 0 | 0 | 0 | |
| 4 Security [security] | 0 | 0 | 0 | 0 | 0 | |
| 4.1 Introduction [security_introduction] | 0 | 0 | 0 | 0 | 0 | |
| 4.2 Cross-site Request Forgery [cross-site-request-forgery] | 13 | 13 | 13 | 0 | 13 | 100.00% |
| 4.3 Cross-site Scripting [cross-site-scripting] | 2 | 2 | 2 | 0 | 2 | 100.00% |
| 5 Events [events] | 0 | 0 | 0 | 0 | 0 | |
| 5.1 Observers [observers] | 6 | 6 | 6 | 0 | 6 | 100.00% |
| 6 Applications [applications] | 0 | 0 | 0 | 0 | 0 | |
| 6.1 MVC Applications [mvc_applications] | 2 | 2 | 2 | 0 | 2 | 100.00% |
| 6.2 MVC Context [mvc_context] | 3 | 3 | 3 | 0 | 3 | 100.00% |
| 6.3 Providers in MVC [providers_in_mvc] | 0 | 0 | 0 | 0 | 0 | |
| 6.4 Annotation Inheritance [annotation_inheritance] | 2 | 2 | 2 | 0 | 2 | 100.00% |
| 6.5 Configuration in MVC [configuration_in_mvc] | 0 | 0 | 0 | 0 | 0 | |
| 7 View Engines [view_engines] | 0 | 0 | 0 | 0 | 0 | |
| 7.1 Introduction [view_engines_introduction] | 2 | 2 | 2 | 0 | 2 | 100.00% |
| 7.2 Selection Algorithm [selection_algorithm] | 4 | 4 | 4 | 0 | 4 | 100.00% |
| 7.3 FacesServlet [faces_servlet] | 0 | 0 | 0 | 0 | 0 | |
| 8 Internationalization [i18n] | 0 | 0 | 0 | 0 | 0 | |
| 8.1 Introduction [i18n_introduction] | 1 | 1 | 1 | 0 | 1 | 100.00% |
| 8.2 Resolving Algorithm [i18n_resolving_algorithm] | 2 | 2 | 2 | 0 | 2 | 100.00% |
| 8.3 Default Locale Resolver [i18n_default_resolver] | 1 | 1 | 1 | 0 | 1 | 100.00% |
| Colour Key |
|---|
| Assertion is covered |
| Assertion is not covered |
| Assertion test is unimplemented |
| Assertion is untestable |
An MVC controller is a JAX-RS [5] resource method decorated by @Controller
Coverage
If this annotation is applied to a class, then all resource methods in it are regarded as controllers
Coverage
Using the @Controller annotation on a subset of methods defines a hybrid class in which certain methods are controllers and others are traditional JAX-RS resource methods.
Coverage
In particular, a return type of String is interpreted as a view path rather than text content
Coverage
Moreover, the default media type for a response is assumed to be text/html, but otherwise can be declared using @Produces just like in JAX-RS
Coverage
A controller method that returns void is REQUIRED to be decorated by @View
Coverage
A string returned is interpreted as a view path
Coverage
A JAX-RS Response whose entity's type is one of the above
Coverage
The default view MUST be used only when such a non-void controller method returns a null value
Coverage
All parameter types injectable in JAX-RS resources are also available in controllers
Coverage
Likewise, injection of fields and properties is unrestricted and fully compatible with JAX-RS
Coverage
MVC classes are REQUIRED to be CDI-managed beans only
Coverage
It follows that a hybrid class that contains a mix of JAX-RS resource methods and MVC controllers must also be CDI managed
Coverage
Like in JAX-RS, the default resource class instance lifecycle is per-request
Coverage
In particular, CDI may need to create proxies when, for example, a per-request instance is as a member of a per-application instance
Coverage
Returning a Response object gives applications full access to all the parts in a response, including the headers
Coverage
Controllers can redirect clients by returning a Response instance using the JAX-RS API
Coverage
MVC implementations are REQUIRED to support view paths prefixed by redirect: as a more concise way to trigger a client redirect
Coverage
In either case, relative paths are resolved relative to the JAX-RS application path
Coverage
MVC implementations SHOULD use the 303 (See other) status code for the redirect, but MAY prefer 302 (Found) if HTTP 1.0 compatibility is required.
Coverage
A bean in request scope is available only during the processing of a single request
Coverage
While a bean in session scope is available throughout an entire web session which can potentially span tens or even hundreds of requests
Coverage
CDI beans in this scope are automatically created and destroyed by correlating a redirect and the request that follows
Coverage
MVC provides view engines for JSP and Facelets out of the box, which support both types
Coverage
Given that the view engine for JSPs supports @Named beans, all the controller needs to do is fill out the model and return the view
Coverage
This will allow the view to access the greeting using the EL expression
Coverage
Controllers can also use the Models map to pass data to the view
Coverage
In a JSP, model properties are accessible via EL
Coverage
URIs for these controller methods can be created with an EL expression
Coverage
The controller method is referenced using the simple name of the controller class and the corresponding method name separated by #
Coverage
If the URI contains path, query or matrix parameters, concrete values can be supplied using a map
Coverage
MVC implementations MUST apply the corresponding URI encoding rules depending on whether the value is used in a query, path or matrix parameter
Coverage
Therefore, applications can use the @UriRef annotation to define a stable and unique name for a controller method
Coverage
You can enable the MVC specific data binding by adding a @MvcBinding annotation to the corresponding controller field or method parameter
Coverage
Therefore, MVC implementations MUST support @MvcBinding with all JAX-RS binding annotations
Coverage
An MVC implementation is required to invoke the matched controller method even if binding or validation errors occurred
Coverage
Controllers can inject a request-scoped instance of BindingResult to access details about potential data binding errors
Coverage
When converting values to these numeric Java types, MVC implementations MUST use the current request locale for parsing non-empty strings
Coverage
Empty strings are either converted to null or to the default value of the corresponding primitive data type
Coverage
When an MVC implementation converts a non-empty string to a boolean primitive type or the java.lang.Boolean wrapper type, it MUST convert both true and on to the boolean true and all others strings to false
Coverage
Empty strings are converted to false in case of the primitive boolean type and to null for the wrapper type
Coverage
The Csrf object is available to applications via the injectable MvcContext type or in EL as mvc.csrf
Coverage
Applications may use the Csrf object to inject a hidden field in a form that can be validated upon submission
Coverage
MVC implementations are REQUIRED to support CSRF tokens both as form fields (with the help of the application developer as shown above) and as HTTP headers
Coverage
The default value of this property is CsrfOptions.EXPLICIT
Coverage
Any other value than CsrfOptions.OFF will automatically inject a CSRF token as an HTTP header
Coverage
The actual name of the header can be configured via the Csrf.CSRFHEADERNAME configuration property
Coverage
The default name of the header is Csrf.DEFAULTCSRFHEADER_NAME
Coverage
Automatic validation is enabled by setting this property to CsrfOptions.IMPLICIT, in which case all post requests must include either an HTTP header or a hidden field with the correct token
Coverage
Finally, if the property is set to CsrfOptions.EXPLICIT then application developers must annotate controllers using @CsrfProtected to manually enable validation as shown in the following example
Coverage
MVC implementations are required to support CSRF validation of tokens for controllers annotated with @POST and consuming the media type x-www-form-urlencoded
Coverage
The MVC implementation MUST throw a javax.mvc.security.CsrfValidationException
Coverage
The implementation MUST provide a default exception mapper for this exception which handles it by responding with a 403 (Forbidden) status code
Coverage
Applications MAY provide a custom exception mapper for CsrfValidationException to change this default behavior
Coverage
MVC applications can gain access to encoders through the MvcContext object
Coverage
The methods defined by javax.mvc.security.Encoders can be used by applications to contextually encode data in an attempt to prevent XSS attacks
Coverage
The events BeforeControllerEvent and AfterControllerEvent are fired around the invocation of a controller
Coverage
Please note that AfterControllerEvent is always fired, even if the controller fails with an exception
Coverage
The events BeforeProcessViewEvent and AfterProcessViewEvent are fired around this call
Coverage
Please note that AfterProcessViewEvent is always fired, even if the view engine fails with an exception
Coverage
The last event supported by MVC is ControllerRedirectEvent, which is fired just before the MVC implementation returns a redirect status code
Coverage
Please note that this event MUST be fired after AfterControllerEvent
Coverage
The controllers and providers that make up an application are configured via an application-supplied subclass of Application from JAX-RS
Coverage
The path in the application's URL space in which MVC controllers live must be specified either using the @ApplicationPath annotation on the application subclass or in the web.xml as part of the url-pattern element
Coverage
MVC applications can inject an instance of MvcContext to access configuration, security and path-related information
Coverage
Instances of MvcContext are provided by implementations and are always in request scope
Coverage
For convenience, the MvcContext instance is also available using the name mvc in EL
Coverage
Such annotations are inherited by a corresponding sub-class or implementation class method provided that the method does not have any MVC or JAX-RS annotations of its own
Coverage
Annotations on a super-class take precedence over those on an implemented interface
Coverage
Implementations MUST provide built-in support for JSPs and Facelets view engines
Coverage
Namely, any CDI bean that implements the javax.mvc.engine.ViewEngine interface MUST be considered as a possible target for processing by calling its supports method, discarding the engine if this method returns false
Coverage
Implementations should perform the following steps while trying to find a suitable view engine for a view
Coverage
In the case of the built-in view engines for JSPs and Facelets, entries in Models must be bound by calling HttpServletRequest.setAttribute(String, Object)
Coverage
If the path is relative, does not start with /, implementations MUST resolve view paths relative to the view folder, which defaults to /WEB-INF/views/
Coverage
If the path is absolute, no further processing is required
Coverage
The request locale is available from MvcContext and can be used by controllers, view engines and other components
Coverage
Every CDI bean implementing the LocaleResolver interface and visible to the application participates in the locale resolving algorithm
Coverage
Implementations MUST use the following algorithm to resolve the request locale for each request
Coverage
Every MVC implementation MUST provide a default locale resolver with a priority of 0 which resolves the request locale according to the following algorithm
Coverage