JSF中无状态的作用是什么? [英] What is the usefulness of statelessness in JSF?

问题描述

根据此博客 JSF变为无状态.使用JSF的全部目的不是要使保存和恢复状态成为一件繁琐的事情. JSF变为无状态的目的是什么?您能提供一个有用的示例吗?

According to this blog JSF is going stateless . Isn't the whole point of using JSF is that it makes saving and restoring state a chore . What is the point of JSF becoming stateless ? Can you please provide an example where this can be useful .

推荐答案

首先，我想说明一下JSF并不是完全无状态的". JSF只是添加了一项新功能，使开发人员可以按需创建无状态视图/表单.

First of all, I would like to clarify that JSF isn't exactly "going stateless" at its whole own. JSF just adds a new feature enabling the developers to create stateless views/forms on demand.

状态保存在动态操作的表单中尤其有用，例如有条件的ajax渲染部件.它会记住基于ajax的回发的表单状态.换句话说，在那些表单中，您绝对需要视图范围的托管Bean而不是请求范围的托管Bean.如果将静态表单与请求范围的bean绑定在一起，则可以基于视图文件轻松地在每个请求的基础上重新创建状态，因此不必保存.

State saving is particularly helpful in dynamically manipulated forms with e.g. conditionally ajax-rendered parts. It remembers the state of the form across ajax based postbacks. In other words, it are those forms where you absolutely need a view scoped managed bean instead of a request scoped managed bean. In case of static forms tied to a request scoped bean, the state could easily be recreated on a per-request basis based on the view file and hence doesn't necessarily need to be saved.

在服务器端状态保存管理的情况下，状态保存具有服务器内存和会话创建方面的成本.同样，它还有一个额外的缺点，即在会话期满后的回发过程中会出现ViewExpiredException.所有这些都可以通过将状态保存管理设置为客户端来解决.但是，这反过来在网络带宽和序列化方面降低了性能.

State saving has in case of server side state saving management however a cost in terms of server memory and session creation. Also, it has the additional disadvantage that a ViewExpiredException would occur during a postback while the session has expired. All of this can be solved by setting the state saving management to client side. But this has in turn a cost in terms of network bandwidth and lower performance due to serialization.

例如，如果大型网站包含公共"和受限"部分，则您希望将会话创建推迟到用户实际登录之前.但是，如果您公开拥有JSF登录表单部分，那么仅通过访问该页面即可创建会话.如果表单本身基本上没有动态状态并且绑定到请求范围的Bean，则这是不必要的成本.

For example, in case of large websites covering a "public" and "restricted" section, you'd like to postpone session creation until the user has actually logged in. However, if you have a JSF login form on the public part, then the session would still be created by just accessing that page. This is an unnecessary cost if the form has basically no dynamic state at its own and is tied to a request scoped bean.

是的，如果您拥有最先进的硬件，则此费用可以忽略不计，但是如果您有相对较多的访问者和/或相对较差的硬件，则可以忽略不计.在这种情况下，测量就是知道的.另外，并非总是可能会变得完全无状态，您会失去动态操作视图/表单的好处和经验.但是，从理论上讲，您可以通过隐藏隐藏的输入字段和/或自定义请求参数来维护每个请求的状态.

True, this cost is negligible if you have state of the art hardware, but it's not negligible if you have relatively a lot of visitors and/or relatively poor hardware. In that case, measuring is knowing. Also, it is not always possible to go fully stateless, you'd lose the benefit and experience of having dynamically manipulated views/forms. You could however theoretically maintain the state on a per-request basis by fiddling with hidden input fields and/or custom request parameters.

应注意的是，无状态还有另一个缺点，即从理论上讲，如果存在开放的XSS漏洞，则执行CSRF攻击会更容易.幸运的是，有了JSF2/Facelets，已经很难拥有XSS漏洞了.唯一的方法就是使用<h:outputText escape="false">重新显示用户控制的数据.

Noted should be that statelessness has an additional disadvantage that it's theoretically more easy to perform a CSRF attack if there's an open XSS hole. Fortunately, with JSF2/Facelets it's already very hard to have a XSS hole. The only way to get that is to use a <h:outputText escape="false"> to redisplay user-controlled data.

• 为什么JSF在服务器上保存UI组件的状态?
• 我是否处于不需要用户登录的POST形式的CSRF攻击风险中?
• JSF中的CSRF，XSS和SQL注入攻击防护
• JSF生命周期的不同阶段在包含表单的无状态视图中如何表现

• Why JSF saves the state of UI components on server?
• Am I under risk of CSRF attacks in a POST form that doesn't require the user to be logged in?
• CSRF, XSS and SQL Injection attack prevention in JSF
• How does different phases of JSF lifecycle behave in a stateless view containing a form

这篇关于JSF中无状态的作用是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！