[seam-dev] Fwd: JSF security issue
Lincoln Baxter, III
lincolnbaxter at gmail.com
Wed Jun 9 11:41:18 EDT 2010
https://jira.jboss.org/browse/SEAMFACES-26
On Wed, Jun 9, 2010 at 11:11 AM, Lincoln Baxter, III <
lincolnbaxter at gmail.com> wrote:
> Next question - what is our Crypto library of choice?
>
>
> On Wed, Jun 9, 2010 at 11:09 AM, Dan Allen <dan.j.allen at gmail.com> wrote:
>
>> On Wed, Jun 9, 2010 at 11:06 AM, Lincoln Baxter, III <
>> lincolnbaxter at gmail.com> wrote:
>>
>>> Yeah - Just saw that this morning. I'd like to see a way to implement
>>> this for ALL pages, not requiring a custom tag. I believe this could be done
>>> easily using the PreRenderViewEvent to add a hidden form field to store the
>>> token in all outbound forms, then use a phase-listener after Restore_View,
>>> comparing the request parameter to the restored component value. Very
>>> similar to the <s:token> component, but as a global solution that could be
>>> enabled/disabled via XML config.
>>>
>>
>> Global solution is good. In fact, it's even more secure since it solves
>> the "doh, I forgot to add the tag" security hole ;)
>>
>> -Dan
>>
>> --
>> Dan Allen
>> Senior Software Engineer, Red Hat | Author of Seam in Action
>> Registered Linux User #231597
>>
>> http://mojavelinux.com
>> http://mojavelinux.com/seaminaction
>> http://www.google.com/profiles/dan.j.allen
>>
>
>
>
> --
> Lincoln Baxter, III
> http://ocpsoft.com
> http://scrumshark.com
> "Keep it Simple"
>
--
Lincoln Baxter, III
http://ocpsoft.com
http://scrumshark.com
"Keep it Simple"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/seam-dev/attachments/20100609/07eb7faf/attachment.html
More information about the seam-dev
mailing list