[jboss-cvs] jboss-seam/doc/reference/en/modules ...
Gavin King
gavin.king at jboss.com
Sat Jun 2 21:15:36 EDT 2007
User: gavin
Date: 07/06/02 21:15:36
Modified: doc/reference/en/modules security.xml
Log:
JBSEAM-1361
Revision Changes Path
1.63 +15 -2 jboss-seam/doc/reference/en/modules/security.xml
(In the diff below, changes in quantity of whitespace are not shown.)
Index: security.xml
===================================================================
RCS file: /cvsroot/jboss/jboss-seam/doc/reference/en/modules/security.xml,v
retrieving revision 1.62
retrieving revision 1.63
diff -u -b -r1.62 -r1.63
--- security.xml 30 May 2007 00:54:41 -0000 1.62
+++ security.xml 3 Jun 2007 01:15:36 -0000 1.63
@@ -1141,7 +1141,7 @@
link will use the HTTPS protocol because <literal>/login.xhtml</literal> is configured to use it:
</para>
- <programlisting><![CDATA[ <s:link view="/login.xhtml" value="Login"/> ]]></programlisting>
+ <programlisting><![CDATA[ <s:link view="/login.xhtml" value="Login"/>]]></programlisting>
<para>
Browsing directly to a view when using the <emphasis>incorrect</emphasis> protocol will cause a
@@ -1151,6 +1151,19 @@
</para>
<para>
+ <emphasis>By default</emphasis>, Seam will invalidate the current HTTP session each time the scheme
+ changes. You can disable this behavior in <literal>components.xml</literal>:
+ </para>
+
+ <programlisting><![CDATA[ <core:pages invalidate-session-before-scheme-change="false"/>]]></programlisting>
+
+ <para>
+ But if you choose to disable this session invalidation, your system will be more vulnerable to
+ sniffing of the session id or leakage of sensitive data from pages using HTTPS to other pages
+ using HTTP.
+ </para>
+
+ <para>
It is also possible to configure a default <literal>scheme</literal> for all pages. This is actually
quite important, as you might only wish to use HTTPS for a few pages, and if no default scheme is
specified then the default behavior is to continue using the current scheme. What this means is that
@@ -1159,7 +1172,7 @@
<literal>scheme</literal>, by configuring it on the default (<literal>"*"</literal>) view:
</para>
- <programlisting><![CDATA[ <page view-id="*" scheme="http"> ]]></programlisting>
+ <programlisting><![CDATA[ <page view-id="*" scheme="http">]]></programlisting>
<para>
Of course, if <emphasis>none</emphasis> of the pages in your application use HTTPS then it is not
More information about the jboss-cvs-commits
mailing list