Created attachment 820261 [details]
jsf-api 2.1.26

Created attachment 820262 [details]
jsf-impl 2.1.26

Created attachment 822295 [details]
jsf-impl-2.1.26-redhat-1.jar

Created attachment 822296 [details]
jboss-jsf-api_2.1_spec-2.1.26.Final-redhat-1.jar

Created attachment 822302 [details]
jsf-impl-2.1.26-redhat-1.jar

Created attachment 822524 [details]
one-off patch

@QA: Please verify the patch.

This is basically mix of two issues, where this issue is superset problem to https://bugzilla.redhat.com/show_bug.cgi?id=1017242. This is issue (Bug 1026999, also https://java.net/jira/browse/JAVASERVERFACES-2136) is not reproducible in EAP 6.1.1 and as I've read (and understood) related customer case, in fact they were asking for fix of https://java.net/jira/browse/JAVASERVERFACES-2902, which is equal to bz1017242.

So this patch should be IMO updated to reflect bz1017242 issue. Next thing is that there should be opened/prepared next patch for EAP 6.2.0, where is still jsf version 2.1.19.

@Tomas: You are right. Since the customer originally requested a fix for https://java.net/jira/browse/JAVASERVERFACES-2136, I incorrectly named this one-off BZ and the patch description. This patch is actually fixing https://java.net/jira/browse/JAVASERVERFACES-2902.

@Marek: How to correct this problem? I can edit this BZ to reflect  https://java.net/jira/browse/JAVASERVERFACES-2902.
What should we do with the other BZ case https://bugzilla.redhat.com/show_bug.cgi?id=1027367?

Created attachment 823392 [details]
one-off patch

@Marek: Corrected the patch description to match https://java.net/jira/browse/JAVASERVERFACES-2902. 

Note: BZ-1027367 [1] is unchanged.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1027367

@Stan
I would like to ask you at few things in this new jsf-impl-2.1.26-redhat-1.jar. First is that I am seeing following warning, when testing flash scope with redirect:

" SEVERE [javax.enterprise.resource.webcontainer.jsf.flash] (web-executor-threads - 1) JSF1094: Could not decode flash data from incoming cookie value Invalid characters in decrypted value.  Processing will continue, but the flash is unavailable for this request."

As I've debugged it, I explored the problem is fired in ELFlash  class (specifically com.sun.faces.context.flash.ELFlash.PreviousNextFlashInfoManager) in method decode, where is this new code (comparing to 2.1.19):

 try {
                urlDecodedValue = URLDecoder.decode(cookie.getValue(), "UTF-8");
 } catch (UnsupportedEncodingException uee) {
                urlDecodedValue = cookie.getValue();
 }
 
value = guard.decrypt(urlDecodedValue);

Can you please explain me, what is the use or purpose of this ? Because my theory is following - do something in application -> store the flash values to the cookie (which is properly encrypted and subsequently decrypted by the same key) -> now I restart application and access the application again -> now there's the problem when it tries to decrypt same cookie, but with another key -> resulting in InvalidKeyException and producing this message.

I am not really sure, what this problem may cause in real.

RichFaces 4.3.2 (from WFK 2.3) works fine on patched EAP 6.1.1 except of push component which is a known issue (see bug 1001854). RichFaces 4.3.4 (from to-be-released WFK 2.4) works fine.

@Ilia
Shouldn't be this in ON_QA state ?

@Tomas: I've been told to flip the status to Modified when the patch is ready for QA. I think that QA should change it to ON_QA, but I may be wrong.

Hmm it looks like that the process has changed little bit, so you are right.

Ok I don't consider my above comment as some crucial problem, so I verified the patch:

7622d709092b68ad5d7aa20abc0748ab  jsf-impl-2.1.26-redhat-1.jar
3c883e53dda39de48a0bba267f40002e  jboss-jsf-api_2.1_spec-2.1.26.Final-redhat-1.jar

@Tomas: Thanks for verifying the patch. Do you know when the patch will be available on Customer Portal?

@Ilia: Sorry I forgot to promote the patch, so hopefully asap.

https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=26063&product=appplatform&version=6.1.1&downloadType=patches

per RT 267523
https://engineering.redhat.com/rt/Ticket/Display.html?id=267523