JSF 中无状态的用处是什么? [英] What is the usefulness of statelessness in JSF?
问题描述
根据这个博客 JSF 将无状态.使用 JSF 的全部意义不在于它使保存和恢复状态成为一件苦差事.JSF 变得无状态有什么意义?你能提供一个例子来说明这很有用吗.
According to this blog JSF is going stateless . Isn't the whole point of using JSF is that it makes saving and restoring state a chore . What is the point of JSF becoming stateless ? Can you please provide an example where this can be useful .
推荐答案
首先,我想澄清 JSF 并不是完全走向无状态";完全属于自己.JSF 只是添加了一项新功能,使开发人员能够按需创建无状态视图/表单.
First of all, I would like to clarify that JSF isn't exactly "going stateless" at its whole own. JSF just adds a new feature enabling the developers to create stateless views/forms on demand.
状态保存在动态操作的表单中特别有用,例如有条件的 ajax 渲染部分.它记住跨基于 ajax 的回发的表单状态.换句话说,在那些形式中,您绝对需要一个视图范围的托管 bean 而不是请求范围的托管 bean.如果静态表单与请求范围的 bean 相关联,则可以根据视图文件在每个请求的基础上轻松重新创建状态,因此不一定需要保存.
State saving is particularly helpful in dynamically manipulated forms with e.g. conditionally ajax-rendered parts. It remembers the state of the form across ajax based postbacks. In other words, it are those forms where you absolutely need a view scoped managed bean instead of a request scoped managed bean. In case of static forms tied to a request scoped bean, the state could easily be recreated on a per-request basis based on the view file and hence doesn't necessarily need to be saved.
在服务器端状态保存管理的情况下,状态保存具有服务器内存和会话创建方面的成本.此外,它还有一个额外的缺点,即会话已过期时,在回发期间会发生 ViewExpiredException.这一切都可以通过将状态保存管理设置到客户端来解决.但这反过来又会导致网络带宽成本和由于序列化而导致的性能下降.
State saving has in case of server side state saving management however a cost in terms of server memory and session creation. Also, it has the additional disadvantage that a ViewExpiredException would occur during a postback while the session has expired. All of this can be solved by setting the state saving management to client side. But this has in turn a cost in terms of network bandwidth and lower performance due to serialization.
例如,在大型网站覆盖公共"网站的情况下和限制"部分,您想推迟会话创建,直到用户实际登录.但是,如果您在公共部分有一个 JSF 登录表单,那么仍然可以通过访问该页面来创建会话.如果表单本身基本上没有动态状态并且绑定到请求范围的 bean,那么这是不必要的成本.
For example, in case of large websites covering a "public" and "restricted" section, you'd like to postpone session creation until the user has actually logged in. However, if you have a JSF login form on the public part, then the session would still be created by just accessing that page. This is an unnecessary cost if the form has basically no dynamic state at its own and is tied to a request scoped bean.
确实,如果您拥有最先进的硬件,则此成本可以忽略不计,但如果您有相对较多的访问者和/或相对较差的硬件,则此成本不可忽略.在这种情况下,测量就是知道.此外,并非总是可以完全无状态,您将失去动态操作视图/表单的好处和体验.然而,理论上您可以通过摆弄隐藏的输入字段和/或自定义请求参数来在每个请求的基础上维护状态.
True, this cost is negligible if you have state of the art hardware, but it's not negligible if you have relatively a lot of visitors and/or relatively poor hardware. In that case, measuring is knowing. Also, it is not always possible to go fully stateless, you'd lose the benefit and experience of having dynamically manipulated views/forms. You could however theoretically maintain the state on a per-request basis by fiddling with hidden input fields and/or custom request parameters.
应该注意的是,无状态还有一个额外的缺点,如果有一个开放的 XSS 漏洞,理论上它更容易执行 CSRF 攻击.幸运的是,使用 JSF2/Facelets 已经很难有 XSS 漏洞了.获得它的唯一方法是使用
Noted should be that statelessness has an additional disadvantage that it's theoretically more easy to perform a CSRF attack if there's an open XSS hole. Fortunately, with JSF2/Facelets it's already very hard to have a XSS hole. The only way to get that is to use a <h:outputText escape="false"> to redisplay user-controlled data.
- 为什么 JSF 将 UI 组件的状态保存在服务器上?
- 在不需要用户登录的 POST 表单中,我是否面临 CSRF 攻击的风险?莉>
- JSF 中的 CSRF、XSS 和 SQL 注入攻击预防
- JSF 生命周期的不同阶段在包含表单的无状态视图中表现如何
这篇关于JSF 中无状态的用处是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
