August 3rd, 2016 by Team

Rewrite 3.4.0.Final Release Announcement

We are pleased to announce the latest version of the Rewrite Servlet Toolkit, and PrettyFaces libraries. It’s been quite a while since our last release, but we promise you this new version has been worth the wait.

Release notes:

You might notice we skipped a few version numbers, which we’ve done for several reasons:

  • This is a major update, so we incremented from major version 2 to version 3.
  • The deprecated (original) prettyfaces-jsf library, which is now several years obsolete was versioned 3.3.3, and has been confusing new users for some time. We are now resolving this issue by skipping directly to Rewrite version 3.4.0.Final.

This release includes several major new features as well as a plethora of bug-fixes, including:

  • Support for JDK6 has been dropped, JDK7 is the new minimum requirement
  • Improved compatibility with JDK8 for the annotation scanning
  • Major performance improvements in the logging subsystem
  • Major performance improvements with the URLBuilder
  • Fixed some concurrency issues which occurred in high load scenarios
  • Many improvements for the LocaleTransposition feature
  • Support conditional parameters with JSF’s <f:param>
  • Fault tolerant percent decoding for path and query parameters
  • Simpler condition trees when binding query parameters using annotations, results in better faster evaluation performance
  • Fixes handling of context path for applications deployed to the root context
  • Improved error reporting. Exception stack traces now display the rule that errored and the location where that rule was defined (including file and line number)
  • Strict RuleBuilder ordering and structure enforcement

Thank you for continuing to support us, provide valuable feedback, and use our technologies.

And of course, please get involved in the project at
February 24th, 2015 by Matyas Danter

SEO-friendly AngularJS with HTML5 pushState(), Rewrite, and twelve lines of code


While migrating an e-commerce application ( from Grails and Tomcat to an AngularJS, Java EE (JAX-RS), and JBoss WildFly stack, I had to make sure that the new platform has feature parity in all areas that are valuable to our business. Search Engine Optimization (SEO) is crucial for us because we primarily market our business on-line. In short, we need search engine optimized URLs, and deep linking; this article will show you how to implement both.

January 16th, 2015 by Lincoln Baxter III

Simple Java EE (JSF) Login Page with JBoss PicketLink Security

Several years ago I wrote a tutorial about using Acegi/Spring Security with JavaServer Faces (JSF) to create a simple authentication / Login page; however, times have changed and Java EE is back in action. I would no longer consider Spring a “requirement” when building a Java EE application. More specifically, if you are using the core Contexts and Dependency Injection (CDI) framework that serves as the backbone for the entire Java EE framework, Spring Security becomes less attractive (because it’s not compatible without using Spring itself, and Spring is a replacement for CDI).

This article will explore how to create a JSF login backed by the standards-compliant CDI framework (that is included with Java EE), and the PicketLink security framework (an open-source project from JBoss). Examples for this article were sourced from the very comprehensive, and quite understandable quick-start application from the PicketLink project itself.

October 3rd, 2013 by Lincoln Baxter III

Create a dynamic Logout URL without a Servlet or JSP, using Rewrite

The code below implements a simple command mapping that binds logout functionality to a URL. To use this example, you must include the following [[Rewrite]] dependency in your project:


Once your project is set up to include Rewrite, just paste the following code into your application source folder.

public class LogoutConfiguration extends HttpConfigurationProvider

   public Configuration getConfiguration(ServletContext context)
      return ConfigurationBuilder.begin()
               .perform(new HttpOperation() {
                  public void performHttp(HttpServletRewrite event, EvaluationContext context)
               }.and(Redirect.temporary(context.getContextPath() + "/")));

   public int priority()
      return Integer.MIN_VALUE;
October 2nd, 2013 by lastcow

Help! RewriteFilter won’t start – Why? Look to web.xml DOCTYPE for answers.

I was developing JSF 2.2.1 web application using [[Rewrite]] for URL cleanup and navigation. It was simple to get started building an application using Rewrite on JBoss WildFly Beta 4 server. I installed the dependencies, starting using the appropriate configuration and components. All I wanted to do was map a few simple pages, and create links to them in the html – Rewrite was perfect for this.

Everything was working fine in the application except page mappings didn’t seem to work (I had to access pages via their direct URL,) and the <pretty:link> always rendered a link to the homepage.

I stopped by the #ocpsoft channel on IRC, and Lincoln helped me solved this ‘strange’ issue (and invited me to write a quick post about it.) Now of course you must be wondering what was wrong – It was because the doctype declaration of my web.xml was both invalid, and also specifying an out-of-date servlet version.

This is the original web.xml DOCTYPE declaration generated by Intellij IDEA:

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "">

As it turns out, this caused Wildfly to use an older version of Servlet support, which meant that I needed to either register Rewrite in the application manually, by adding the RewriteFilter configuration to my web.xml file, or simply update the web.xml file to use the more recent (and correct) document type (which is by far the simpler solution!)

<?xml version="1.0" encoding="UTF-8"?>

<web-app version="3.0" xmlns=""

Now everything works fine, the old declaration deactivated servlet 3.0, which actually prevented Rewrite to start up (Rewrite bundles a web-fragment.xml file which requires Servlet 3.0 in order to support automatic activation.)

Thanks again to Lincoln, saved my life. 😉

~Lastcow (zhijiang)

September 30th, 2013 by Lincoln Baxter III

Rewrite 2.0.8.Final Released – Fixes critical parameterization bug

Bug Fixes

If you experienced problems with rule parameterization in Rewrite 2.0.7.Final, then sorry about that, and this release of [[Rewrite]] is for you:

Erroneous failures such as the following exception should be fixed by this release:

org.ocpsoft.rewrite.exception.ParameterizationException: The value of required parameter [s] was null.
	at org.ocpsoft.rewrite.param.RegexParameterizedPatternBuilder.extractBoundValues(
	at org.ocpsoft.rewrite.servlet.config.Forward.performHttp(
	at org.ocpsoft.rewrite.servlet.config.HttpOperation.perform(
	at org.ocpsoft.rewrite.servlet.config.rule.Join.perform(

New Features

August 22nd, 2012 by Lincoln Baxter III

[video] Enhance developer productivity, usability, and security

Java EE is already the perfect solution for complex business/enterprise systems and provides all the tools and foundations required to deliver scalable, performant applications for a wide variety of customers and clients.

But how does the end user experience stack up? How easy is it to navigate through your Website? Is your code full of nasty navigation logic? Are your links clear, transparent, and informative? Do you find yourself adding ‘?query=parameters’ in order to serve dynamic content from your application? Can you ensure that you are not leaking information in your URLs, and that your applications are secure from URL-based attacks? Are your old links making it difficult to migrate or integrate a legacy application to a new one?

These are all things that URL rewriting can help with, and if you are uncertain about any of these questions, this talk is for you. Watch this session from JAXConf 2012 and see what’s possible with the power of URL-rewriting.

For more information on the [[Rewrite]] project, visit the project homepage at [[Rewrite | OCPsoft]], and be sure to check out all of the other cool Java open-source projects while you’re here.
March 29th, 2012 by Lincoln Baxter III

Is your web application secure? HTTP attacks are real, and dangerous

According to a recent research paper by the Aspect Security Group, entitled The Unfortunate Reality of Insecure Libraries, “Eighty percent of the code in today’s applications comes from libraries and frameworks, but the risk of vulnerabilities in these components is widely ignored and under appreciated. A vulnerable library can allow an attacker to exploit the full privilege of the application, including accessing any data, executing transactions, stealing files, and communicating with the Internet. Organizations literally trust their business to the libraries they use.” When validating user input from forms and exposed services, we often ignore the URL or think to ourselves, “that information is validated later, it’ll be fine,” but when hacks like the following start turning up – in common web-frameworks – it’s time to start thinking seriously about URL validation. Fortunately, it’s easy to accomplish using a number of methods, but first, let’s look at how these attacks work.