Hello,
(note I'll use -- as a replacement for the equals character)
entering an URL
http://localhost:8080/bbstats/club-list.seam?season--2003
will show me the correct list of clubs for a single season using the following pages.xml entry:
<page view-id="/club-list.xhtml"> <param name="season" value="#{seasonHome.id}" converterId="javax.faces.Integer" /> </page>
As you can see I'm using an integer converter to convert the year string. When changing the URL manually to
http://localhost:8080/bbstats/club-list.seam?season--20xxx03
my app will show all clubs because that somehow kills the where clause of the EJBQL in EntityQuery:
Hibernate:
select club3_.id as id1487_, club3_.color_name as color5_1490_, club3_.name as name1490_, club3_.shorthand as shorthand1490_, club3_.website_url as website3_1490_ from Rosters roster0_ left outer join Seasons season1_ on roster0_.season_start_year=season1_.start_year left outer join Teams team2_ on roster0_.club_id=team2_.club_id and roster0_.ordinal_nbr=team2_.ordinal_nbr and roster0_.teamtype_code=team2_.teamtype_code left outer join Clubs club3_ on team2_.club_id=club3_.id left outer join Contacts club3_1_ on club3_.id=club3_1_.id group by club3_.id order by club3_.shorthand, club3_.name
As you can see, no where clause. I then found this in my logs:
22.10.2010 17:01:12 com.sun.faces.lifecycle.RenderResponsePhase execute INFO: WARNING: FacesMessage(s) have been enqueued, but may not have been displayed. sourceId=null[severity=(ERROR 2), summary=(j_id0: '20xxx03' must be a number consisting of one or more digits.), detail=(j_id0: '20xxx03' must be a number between -2147483648 and 2147483647 Example: 9346)]
I'd expect a failing converter to display an error and not to continue silently, resulting in a swallowed where clause which actually causes the used query to execute without restrictions, showing all DB entities.
How do I fix this? What's the best practice here?
Karsten
Use s:validateAll, then it should stop you continuing.