[jboss-cvs] jboss-seam/doc/reference/en/modules ...

Gavin King gavin.king at jboss.com
Sat Jun 2 21:15:36 EDT 2007 

  User: gavin   
  Date: 07/06/02 21:15:36

  Modified:    doc/reference/en/modules  security.xml
  Log:
  JBSEAM-1361
  
  Revision  Changes    Path
  1.63      +15 -2     jboss-seam/doc/reference/en/modules/security.xml
  
  (In the diff below, changes in quantity of whitespace are not shown.)
  
  Index: security.xml
  ===================================================================
  RCS file: /cvsroot/jboss/jboss-seam/doc/reference/en/modules/security.xml,v
  retrieving revision 1.62
  retrieving revision 1.63
  diff -u -b -r1.62 -r1.63
  --- security.xml	30 May 2007 00:54:41 -0000	1.62
  +++ security.xml	3 Jun 2007 01:15:36 -0000	1.63
  @@ -1141,7 +1141,7 @@
         link will use the HTTPS protocol because <literal>/login.xhtml</literal> is configured to use it:
       </para>
       
  -    <programlisting><![CDATA[  <s:link view="/login.xhtml" value="Login"/> ]]></programlisting>
  +    <programlisting><![CDATA[  <s:link view="/login.xhtml" value="Login"/>]]></programlisting>
       
       <para>
         Browsing directly to a view when using the <emphasis>incorrect</emphasis> protocol will cause a 
  @@ -1151,6 +1151,19 @@
       </para>
       
       <para>
  +      <emphasis>By default</emphasis>, Seam will invalidate the current HTTP session each time the scheme
  +      changes. You can disable this behavior in <literal>components.xml</literal>:
  +    </para>
  +    
  +    <programlisting><![CDATA[  <core:pages invalidate-session-before-scheme-change="false"/>]]></programlisting>
  +    
  +    <para>
  +      But if you choose to disable this session invalidation, your system will be more vulnerable to
  +      sniffing of the session id or leakage of sensitive data from pages using HTTPS to other pages
  +      using HTTP.
  +    </para>
  +    
  +    <para>
         It is also possible to configure a default <literal>scheme</literal> for all pages.  This is actually
         quite important, as you might only wish to use HTTPS for a few pages, and if no default scheme is
         specified then the default behavior is to continue using the current scheme.  What this means is that
  @@ -1159,7 +1172,7 @@
         <literal>scheme</literal>, by configuring it on the default (<literal>"*"</literal>) view:
       </para>
       
  -    <programlisting><![CDATA[  <page view-id="*" scheme="http"> ]]></programlisting>
  +    <programlisting><![CDATA[  <page view-id="*" scheme="http">]]></programlisting>
       
       <para>
         Of course, if <emphasis>none</emphasis> of the pages in your application use HTTPS then it is not

More information about the jboss-cvs-commits mailing list