[JBoss Seam] - sessionId cookie: man-in-the-middle attack
by fguerzoni
I noticed that sessionId cookie sent to client before authentication remains the same even after login succedeed. This could lead to a man-in-the-middle attack because pre-login sessionId could be easily sniffed.
So, it would be very nice if it should be possible to do a session switching on server side forcing a pre-login session invalidation and a new session creation (request.getSession(true)) as soon as client authenticates. Old session data should then be copied to new session.
In this case a new sessionId cookie will be sent to client: client will use this ticket during next requests.
This mechanism collides with the actual Seam implementations where Lifecycle.endSession is called after a session.invalidate
I think that Seam should automatically execute this task during the authentication phase.
regards
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4048883#4048883
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4048883
18 years, 11 months
[JBoss Portal] - How to make user's pages visible to public
by javatwo
I have asked many questions in a short time. I am completely new to JBoss portal. Please help me.
I create a portal called "MyPortal" and some pages(A, B, C, D) on the portal.
Then I create a user called "scott".
After login as scott, I copied page A and B on MyPortal to the dashboard. In addition, I(scott) created a new page called "Articles".
How to make scott's pages (A, B, Articles) visible to public? I did not find access control for these pages.
If a user's pages are private(not public), and a portal is needed for a user. How to assign the portal to a user? In other words, the user has manage permission to the portal, and others have view/personalize permission.
If a portal is needed for a user to show his pages to public, how to create a portal automatically when a user register, and assign management permission on the portal to the user?
Thanks again for help.
Dave
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4048882#4048882
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4048882
18 years, 11 months
[JBoss Portal] - window name UTF-8? menu does not stay
by javatwo
Hello, I am experiencing JBoss Portal. Seeing some issues:
1. When I use UTF8(for example, chinese characters) as window name for adding portlets, it did not show up correctly, like 产ååç±»,
no one can recognize. but page name is OK with UTF8.
2. Sub pages show as drop down menu, but very difficult to handle. When mouse move from page header tab to sub menu, the whole sub menu will disappear if move slowly. It stays on only when move mouse very fast. (IE browser)
3. Access portal from IE with chinese locale, the page did not render in chinese, but still in English. Where to configure locale?
Thanks,
Dave
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4048881#4048881
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4048881
18 years, 11 months
[JBoss Portal] - 6 questions, should I use JBoss Portal?
by javatwo
I am using JSF/JBOSS/Hibernate.
I have asked some questions and looked through this forum. But I am still not clear. Can JBoss Portal allow me to do the following:
1. each user can create account, and be able to create pages, create his own layout and themes, all of these need to be persisted, including portlet location on screen.
2. all users' pages are visible to public. User needs to login only for editing and managing his accounts/pages.
3. Can I use my own user portlet, instead of the standard one? If I have username/password, login programatically instead of displaying web login form.
4. Can I have two databases, one for portal, one for business data?
5. User accounts is per portal or whole portal container? DO I need to create a portal for each user so that the user has his own themes/layout?
Is it scalable to have millions of portals, one for each user?
6. I am using ajax4jsf with MyFaces, can it work with Jboss Portal?
Thanks for guidance.
Dave
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4048874#4048874
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4048874
18 years, 11 months