I recall there was some analysis done on general vulnerabilities by the Red Hat security team - the main concern I remember wasn't XSRF but variants on XSS. Even then - the real concern was that there was/is dynamic code executed which comes from the client (could allow for elevated priviledges). I think the general agreement at the time was that usage on more public networks with less trusted users was not going to be recommended anyway. 

But XSRF does seem more serious - if you can eliminate that class of attack then you are left with users who the system already trusts (has to - they are writing rules). 

On Fri, Mar 25, 2011 at 1:34 AM, Michael Anstis <michael.anstis@gmail.com> wrote:
So, realistically we can expect our users to notice the hick-up at some stage with 5.2.0 (or GWT2.1+ in reality).

Should we consider an emergency game-plan should a fix not be found prior to release? e.g. Remove XSRF protection short-term. It doesn't leave Guvnor any more exposed than we were pre-GWT2.1). I've posted to GWT's forums but had no response as yet.

Views anybody?

Cheers,

Mike

On 24 March 2011 14:26, Tihomir Surdilovic <tsurdilo@redhat.com> wrote:
On 3/23/11 4:34 PM, Michael Anstis wrote:
> Has anybody experienced this in "Web"  mode?
Yes. When first reporting this I was running on JBoss AS 4.2.3.

Thanks.
_______________________________________________
rules-dev mailing list
rules-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-dev


_______________________________________________
rules-dev mailing list
rules-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-dev




--
Michael D Neale
home: www.michaelneale.net
blog: michaelneale.blogspot.com