Yeah - Just saw that this morning. I'd like to see a way to implement this for ALL pages, not requiring a custom tag. I believe this could be done easily using the PreRenderViewEvent to add a hidden form field to store the token in all outbound forms, then use a phase-listener after Restore_View, comparing the request parameter to the restored component value. Very similar to the <s:token> component, but as a global solution that could be enabled/disabled via XML config.<br>
<br>Thoughts?<br>Lincoln<br><br><div class="gmail_quote">On Wed, Jun 9, 2010 at 10:49 AM, Dan Allen <span dir="ltr"><<a href="mailto:dan.j.allen@gmail.com">dan.j.allen@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="gmail_quote"><div class="im">On Wed, Jun 9, 2010 at 7:25 AM, Stuart Douglas <span dir="ltr"><<a href="mailto:stuart@baileyroberts.com.au" target="_blank">stuart@baileyroberts.com.au</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div style="word-wrap: break-word;"><div><br></div><div>It looks like this only affects apps that use encrypted client side state saving? </div></div></blockquote><div><br></div></div><div>Client-side state saving is extremely vulnerable to security hacks, something Christian and I have discussed extensively. The problem is, with client-side scripting, all the trust is on the client. You've got to have something on the server (or some other trust provider) to cross reference the request or else you are just asking for trouble.</div>
<div><br></div><div>That's a lot of what the s:token tag is about...which we will be reviewing soon as we bring it into Seam 3.</div><div><br></div><div><a href="http://seamframework.org/Community/NewComponentTagStokenAimedToGuardAgainstCSRF" target="_blank">http://seamframework.org/Community/NewComponentTagStokenAimedToGuardAgainstCSRF</a></div>
<div><a href="http://seamframework.org/Documentation/CrossSiteRequestForgery" target="_blank">http://seamframework.org/Documentation/CrossSiteRequestForgery</a></div><div><br></div><div>-Dan</div><div><br></div></div><font color="#888888">-- <br>
Dan Allen<br>
Senior Software Engineer, Red Hat | Author of Seam in Action<br>Registered Linux User #231597<br><br><a href="http://mojavelinux.com" target="_blank">http://mojavelinux.com</a><br><a href="http://mojavelinux.com/seaminaction" target="_blank">http://mojavelinux.com/seaminaction</a><br>
<a href="http://www.google.com/profiles/dan.j.allen" target="_blank">http://www.google.com/profiles/dan.j.allen</a><br>
</font><br>_______________________________________________<br>
seam-dev mailing list<br>
<a href="mailto:seam-dev@lists.jboss.org">seam-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/seam-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/seam-dev</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Lincoln Baxter, III<br><a href="http://ocpsoft.com">http://ocpsoft.com</a><br><a href="http://scrumshark.com">http://scrumshark.com</a><br>"Keep it Simple"<br>