{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 小情绪 Triste * 的问题《Old values in input fields by GET request》','https://www.manongdao.com/q-1051168.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have got this JSF form in the file loginform.xhtml:
<h:form>
<h:panelGrid columns="3" styleClass="components" cellpadding="5px">
<h:outputText value="#{msg['login.username']}"/>
<h:inputText id="username" value="#{userManager.loginUser.username}" required="true"/>
<h:message styleClass="error" for="username"/>
<h:outputText value="#{msg['login.password']}"/>
<h:inputSecret id="password" value="#{userManager.loginUser.password}"
required="true"/>
<h:message styleClass="error" for="password"/>
<h:commandButton value="#{msg['login.confirm']}"
action="#{userManager.doLogin}"/>
</h:panelGrid>
</h:form>
With this ManagedBean:
public class UserManager implements Serializable {
/**
* Creates a new instance of UserManager
*/
public UserManager() {
}
private UserRecord loginUser = new UserRecord();
private UserRecord sessionUser;
@EJB
private UserRecordFacadeLocal userRecordFacade;
public UserRecord getLoginUser() {
return loginUser;
}
public void setLoginUser(UserRecord loginUser) {
this.loginUser = loginUser;
}
public UserRecord getSessionUser() {
return sessionUser;
}
public void setSessionUser(UserRecord sessionUser) {
this.sessionUser = sessionUser;
}
public String doLogout() {
setSessionUser(null);
return "logout";
}
public String doLogin() {
if (userRecordFacade.authorizedAcces(loginUser.getUsername(), loginUser.getPassword())) {
setSessionUser(loginUser);
return "success";
}
return "failure";
}
}
Here is my question: if I type a GET request to loginform.xhtml (in my case: http://localhost:8080/Impetus-web/loginform.xhtml), the form is filled by the old values! Even more correct values - this is really bad for the security of the system :-). The same happens, if I make the navigation to this page via h:link tag. It works fine only in the case, if I jump to the page via POST request (via commandButton f. e.).
How is it possible?
JSF doesn't do that (as evidence, look in generated HTML output). The webbrowser does that. This feature is called "autofill"/"autocomplete". Just tell it to not do that by adding
autocomplete="off"to the individual input components.Or if you're on JSF 2.2 (or are using OmniFaces
Html5RenderKit), you could also set it form-wide.