Re: [jsr-314-open-mirror] [jsr-314-open] [Spec-869-Specify CSRF Solution] PROPOSAL(s)

Tuesday, 26 October 2010

Hey Kito -

On 10/26/10 3:48 PM, Kito Mann wrote:
...
 Perhaps I missed it earlier in the thread, but why? 
Alexander raised some concerns here:

http://lists.jboss.org/pipermail/jsr-314-open-mirror/2010-October/000410....

In particular, this has me worried:

...
 c) For token encoded as url parameter this proposal protects whole
 application, so no one can either got logged in to protected site
 because of circular dependencies: to open login page, visitor has to
 have secure token, which one he can get only from JSF login page...
 There should be per-page security configuration. 
I explained my concerns in more detail here:

http://lists.jboss.org/pipermail/jsr-314-open-mirror/2010-October/000499....

...
  And what would you propose?

I don't have a concrete proposal just yet, but I think we need to look 
at enabling this at a finer-level, eg.  per page or for a collection 
pages, perhaps identified by a prefix.

Andy

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Re: [jsr-314-open-mirror] [jsr-314-open] [Spec-869-Specify CSRF Solution] PROPOSAL(s)