[seam-dev] Fwd: JSF security issue
Dan Allen
dan.j.allen at gmail.com
Wed Jun 9 10:49:33 EDT 2010
On Wed, Jun 9, 2010 at 7:25 AM, Stuart Douglas
<stuart at baileyroberts.com.au>wrote:
>
> It looks like this only affects apps that use encrypted client side state
> saving?
>
Client-side state saving is extremely vulnerable to security hacks,
something Christian and I have discussed extensively. The problem is, with
client-side scripting, all the trust is on the client. You've got to have
something on the server (or some other trust provider) to cross reference
the request or else you are just asking for trouble.
That's a lot of what the s:token tag is about...which we will be reviewing
soon as we bring it into Seam 3.
http://seamframework.org/Community/NewComponentTagStokenAimedToGuardAgainstCSRF
http://seamframework.org/Documentation/CrossSiteRequestForgery
-Dan
--
Dan Allen
Senior Software Engineer, Red Hat | Author of Seam in Action
Registered Linux User #231597
http://mojavelinux.com
http://mojavelinux.com/seaminaction
http://www.google.com/profiles/dan.j.allen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/seam-dev/attachments/20100609/e9976be8/attachment.html
More information about the seam-dev
mailing list