[jsr-314-open-mirror] [jsr-314-open] Issue #559: Support for the "Synchronizer Token" pattern (avoiding double submits)
Blake Sullivan
blake.sullivan at oracle.com
Wed Jul 14 17:15:33 EDT 2010
We still need to make sure to application developers that it is their responsibility to make sure that safe HTTP requests (GET and HEAD) don't mutate the application unless the request requires its own authentication rather than relying on cookie-based authentication.
-- Blake Sullivan
On Jul 14, 2010, at 10:55 AM, Kito Mann wrote:
> Hello everyone,
>
> I have updated issue #559 (Synchronizing token / CSRF issue; https://javaserverfaces-spec-public.dev.java.net/issues/show_bug.cgi?id=559) with some sample code for these two issues, and also referenced Dan's work with Seam. I think between these two solutions we can come up with something that works well with JSF 2.1. If you're interested in these issues or the back-button issue (which I'm not as familiar with), please add your comments to this issue we can get this hashed out ASAP.
> ---
> Kito D. Mann | twitter: kito99 | Author, JSF in Action
> Virtua, Inc. | http://www.virtua.com | JSF/Java EE training and consulting
> http://www.JSFCentral.com - JavaServer Faces FAQ, news, and info | twitter: jsfcentral
> +1 203-404-4848 x3
>
> Sign up for the JSFCentral newsletter: http://oi.vresp.com/?fid=ac048d0e17
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jsr-314-open-mirror/attachments/20100714/0762ff24/attachment-0002.html
More information about the jsr-314-open-mirror
mailing list