Added simple test case configured to run in Tomcat 6

The problem appears to boil down to resource URLs and the addition of the jsessionid as a path parameter. In a normal URL, the jsessionid is added to the end of the path but before the parameters:

http://host:port/path1/path2/file1.ext;jsessionid=xxx?param1=val1&param2=val2

When cookies are disabled, session state is maintained by having the jsessionid added to the URL. However, it's important that each URL that has anything to do with the session is properly encoded to include the jsessionid. This is done by processing each URL through the method:

ExternalContext.encodeResourceURL(originalURL);

We did this in several places previously to ensure that we could work without cookies. For the InputRichText, there are a few spots where this is still problematic:

1) The InputRichText component adds the required FCKEditor JS libraries to the head which results in the following URLs:

<script src="/appContext/block/resource/LTc4NTk0MDYzMQ==/" type="text/javascript"></script>

Since these URLs contain block/resource, they are processed by the SessionVerifier which makes a call to ensure the session is valid before serving up the resource. So without the jsessionid, it fails. The generated URLs can be fixed by altering the DOMResponseWriter so that all resources output to the <head> include the jsessionid.

<script src="/appContext/block/resource/LTc4NTk0MDYzMQ==/;jsessionid=6B0264F79334D0ADA43A2A791326886C" type="text/javascript"></script>

2) Now that the required libraries load, the next problem is that the script that registers and creates a new instance of FCKEditor uses a URL to do so:

new Ice.FCKeditor('j_id11:j_id14', 'en', '', '/appContext/block/resource/LTQ5MTYyMDg1Mw==/','100%', '200', 'Default', 'null', 'default');

Same problem as #1. Since it's a block/resource URL, it needs the jsessionid or the SessionVerifier will reject it. Again, it's a relatively easy fix, this time in the InputRichTextRenderer:

new Ice.FCKeditor('j_id11:j_id14', 'en', '', '/appContext/block/resource/LTQ5MTYyMDg1Mw==/;jsessionid=6B0264F79334D0ADA43A2A791326886C','100%', '200', 'Default', 'null', 'default');

3) The creation of a new FCKeditor uses this URL to construct a slightly different URL that points the content of the iframe that houses the editor. This is done in fckeditor.js:

/appContext/block/resource/LTQ5MTYyMDg1Mw==/editor/fckeditor.html?InstanceName=j_id11%3Aj_id14&Toolbar=Default

unfortunately, by virtue of the way this is built, if the jsessionid is included, the result looks like this:

/appContext/block/resource/LTQ5MTYyMDg1Mw==/;jsessionid=4F5E6E84022C2322085CF22B12C74497editor/fckeditor.html?InstanceName=j_id11%3Aj_id14&Toolbar=Default

So the jsessionid is located incorrectly. It should look like this:

/appContext/block/resource/LTQ5MTYyMDg1Mw==/editor/fckeditor.html;jsessionid=4F5E6E84022C2322085CF22B12C74497?InstanceName=j_id11%3Aj_id14&Toolbar=Default

4) Editing the fckeditor.js code to move the jsessionid allows it to create the iframe with the starting content, but every other FCK resource that is then loaded into the iframe, then suffers from the original problem - a resource URL without a jsessionid. For example:

http://host:port/appContext/block/resource/LTQ5MTYyMDg1Mw==/editor/js/fckeditorcode_gecko.js

inputRichText verified working with attached test case.

A new ServeStaticResource dispatcher has been added that will serve any resources found under

com/icesoft/faces/resources/ice-static/

Serving arbitrary files from a resource path could be a security risk in general, however, these files must be deliberately added to the ice-static directory, hence the risk is slightly less than recursively adding resources through an API.

File upload has not been investigated.

Note that testing this modification in component-showcase is difficult because ice:inputRichText dynamically adds script resources to the <head> resulting in a reload directive to the bridge. The URL used in the reload does not contain the ;jsessionid parameter and the application context is lost (since the reload results in a new session).

All test run on tomcat6 withFF3.6, IE8 & Opera10.6
Icefaces Trunk revision#22314
Browser cookies disabled:

Notable failures:

File upload:
ICE-2009 Fails on FF & Opera( cannot upload files)
inputfile Fails on FF & Opera( cannot upload files)

Component-showcase fileupload: FF does not work reliably, sometimes http status 500 displayed on browser. Works fine on IE browser.

Firefox failures with inputFile cannot be reproduced independently.