How to safely init a ViewScoped bean with URL GET request parameters?

Question

I have a few managed bean (ViewScoped) that are currently initialized with data in the session. I would like to initialize them with a URL GET parameter so I can provide URLs with the entity ID I want to display in my view. Something like displayClient.xhtml?entityId=123.

Right now I am thinking of something like this in the getter of the view main entity :

public clientModel getclientM() {
  if (this.clientM == null) {
    // TODO: Check for empty, non-integer or garbage parameters...
    // Anything exists to "sanitize" URL parameters?
    int entityId = Integer.parseInt(FacesContext.getCurrentInstance().getExternalContext().getRequestParameterMap().get("entityId"));

    // I guess I should check here if the logged user is authorized to 
    // load client entity with this entityId...  anything else to check?

    this.clientM = this.clientS.find(entityId);
  }

  return this.clientM;
}

Any hint or suggestion of best practices would be greatly appreciated.

Answer 1

I'd think something along these lines are best practice:

displayclient.xhtml:

<f:metadata>
    <f:viewParam name=“entityId” 
                 value="#{bean.clientM}” 
                 required="true" 
                 converter=“clientModelConverter”
                 converterMessage="Bad request. Unknown ClientModel.”
                 requiredMessage="Bad request. Please use a link from within the system.">
    </f:viewParam>
</f:metadata>

Converter:

@ManagedBean    
@RequestScoped 
public class ClientModelConverter implements Converter {

    @EJB
    private ClientService clientService;

    @Override
    public String getAsString(FacesContext context, UIComponent component, Object value) {
        // TODO: check if value is instanceof ClientModel
        return String.valueOf(((ClientModel) value).getId());
    }

    @Override
    public Object getAsObject(FacesContext context, UIComponent component, String value) {
       // TODO: catch NumberFormatException and throw ConverterException
       return clientService.find(Integer.valueOf(value));
    }

}

Call the page with for example:

<h:link value=“Display” outcome="displayClient">
    <f:param name=“entityId" value=“#{…}” />
</h:link>

or just a raw url for example displayClient.xhtml?entityId=123.

Heavily inspired by What can <f:metadata>, <f:viewParam> and <f:viewAction> be used for? and JSF 2.0 view parameters to pass objects.

Answer 2

1. Store entityId in session, for example SessionScoped Bean
2. In your View Scoped managed beans, add @PostConstruct method, where you will get entityId from session and populate data with this

Answer 3

I did something similar, for the same exact reason : Providing an external link to a jsf page.

In your ViewScoped bean, have a @PostConstruct method to force a fail-safe scan for the Get Param

@PostConstruct
public void scanEntityId(){

    int entityId = 0; // or some other default value 

    try{
        // Try to fetch entityId from url with GET
        int entityId = Integer.getInteger(FacesContext.getExternalContext().getRequestParameterMap().get("entityId")  );
    }catch(Exception e){
        // Did not find anything from GET
    }

    // TODO: do stuff using the entityId's value. e.g.:
    if(entityId >0){
        this.clientM = this.clientS.find(entityId);
    }
}

Just make sure to handle the cases where the entityId var is not found in the Get params

If you want to link to that page from another xhtml page of the same app, you can use the f:param

<h:link value="Go in a page that uses thatViewScoped Bean"
    outcome="#{thatViewScopedBean.takeMeToThatPage}" >      
    <f:param name="entityId" value="#{somebean.somevar.entityId}" />
</h:link>

A nice tutorial can also be found here You might also like to see this answer, and this article to see more options and get a more clear view.