Adding a security audit to the Seam QA (release) process
by Pete Muir
Hi Marc,
Something that we've been discussing is the idea creating a security
audit checklist that will cover Seam and the ways it interacts with
the outside world; initially, we want to focus on JSF, Seam Remoting
(Ajax) and Servlet but we will also consider adding in WS including
JAX-RS, Wicket, GWT and perhaps others, though these are what I can
think off. This checklist would then be added to the Seam QA process
(which is run through at release time).
We were wondering if you would be able to work with us on this? My
suggestion is, that as you (I hope ;-) have a good understanding of
the general approaches that could be used to exploit a Seam that you
would be to work with us both on an initial list of areas to focus on,
and then help us develop the checklist.
Let us know :)
Pete
16 years, 10 months
Form, Input Elements and SeamText
by Nick Belaevski
Christian,
I've asked Pete a few questions about SeamText and he said I should ask you
about one...
Exploring SeamText 2.1.0.beta1 ANTLR grammar we've discovered that
form/input elements are legal to use, so it is valid to write:
<form action="http://somesite.com"><input type="file" /><input type="submit"
/></form>
I suppose it is not safe that the user is possible to type in forms. What do
you think about it?
Best regards,
Nick Belaevski
16 years, 10 months
Seam 2.1.1.CR1 release testing status
by Jay Balunas
Jozef and I have been focused on 2.1.1.CR1 release testing, and so far
it has gone smoothly and there have been no blockers found. This is
the first release that we have used the selenium based functional
tests. This made most of the example testing very simple, and has
firmed our belief that we need to get full coverage asap!!
Remaining testing prior to release:
* Windows spot check
* Portal Bridge integration
* Advanced seam-gen testing - need some guidance from Dan
These should be completed by mid-morning EST.
Testing Results:
Testing has been done on a mixture of OS X, and Linux using JDK5 and
JDK6. As covered in the release-process.txt. A couple of small
issues have been found plus the known performance issues scheduled for
Seam 2.1.1.CR2 ( JBSEAM-3712 ). Jira's have not yet been entered for
minor issues as they are being looked into further and should be in
tomorrow morning.
itext example
- has duplicate menu item "swing component"
- has what looks like debug stdout logging
ui example - unable to select country in the main form. It is unclear
when or how this becomes activated. This may not be new, but simply
confusing on how and when this is activated.
seambay - categories do not load when adding new item on jboss
embedded - other configures function correctly.
gwt - On linux with JDK5 the example would not run - no exception but
getting 404. On OS x with JDK6 the example functioned correctly
Seam-gen - there are errors being displayed when the tests are
running in seam-gen generated projects however tests pass.
JBDS-generated ear project has to be workarounded to run correctly -
jboss-seam.jar line has to be removed from MANIFEST file. This is a
known issue with JBoss Tools.
Excel - What is the "Repeat and inline value" supposed to create -
this should be explained better. Also the output is not a very useful
excel table. See attached repeat.xsl.
Progress bar - On OS x with JDK 6 progress bar showed 1% the action
complete. Tried with both Safari, and Firefox
17 years, 1 month
Jbpm
by Shane Bryzak
Has anyone made any changes to our Jbpm integration of late? Both the
dvdstore and numberguess examples are throwing this exception upon deploy:
Caused by: java.lang.RuntimeException: Error loading element Jbpm with
component name null and component class null
at
org.jboss.seam.init.Initialization.installComponentsFromXmlElements(Initialization.java:351)
at
org.jboss.seam.init.Initialization.initComponentsFromXmlDocument(Initialization.java:226)
... 92 more
17 years, 1 month
JBSEAM-3748
by Shane Bryzak
This is an interesting issue - I've been a long time SLF4J fan myself
however if I recall correctly there was some controversy over its
adoption in Hibernate. If it truly offers some performance improvements
then we should consider using it. Does anyone have any opinions one way
or another about this?
https://jira.jboss.org/jira/browse/JBSEAM-3748
17 years, 1 month
Trunk status?
by Daniel Roth
Hi all,
I might have missed it somewhere but just to be clear: Is the trunk open for
new commits?
// Daniel
--
Daniel Roth
M.Sc. Computer Science
daniel(a)danielroth.se
www.danielroth.se
+46 736 36 29 46
17 years, 1 month
Re: Re: [seam-dev] Can someone please take a look a this
by lincolnbaxter@gmail.com
Yes that's a good point, and you can still do a redirect after the POST if
that's important in your design. From another perspective, also, posting
back to the pretty URL allows you to remember the context for which your
form is being posted. So instead of having to explicitly re-code the URL
parameters into the form data, you can re-parse these values and provide a
consistent context. This also prevents having to keep extra data stored in
session, when request scope is actually desired.
On Nov 22, 2008 10:48pm, Gavin King <gavin(a)hibernate.org> wrote:
> Thanks for the note, Lincoln.
>
>
>
> But the purpose of the redirect is not just to have a pretty URL ...
>
> it's to make sure the browser refresh button performs a GET instead of
>
> rePOSTing the form. Right?
>
>
>
> On Sat, Nov 22, 2008 at 10:37 AM, Lincoln Baxter, III
>
> wrote:
>
> > Hi Guys,
>
> >
>
> > I'm the author of the PrettyFaces extension. I just thought I would
provide
>
> > some explanation.
>
> > Currently, if you wish to create bookmarkable URLs in Seam, when you
submit
>
> > a form with validation that fails, the form URL will display the JSF
view ID
>
> > (eg. /faces/store/buy.jsf), at this point Seam will have to send a
redirect
>
> > to the browser to redirect them back to the proper URL (eg. /store/buy).
>
> > This is alright, but it causes wasted bandwidth, increased client wait
time,
>
> > and extra CPU usage. On a high-load system, this can matter a lot.
>
> >
>
> > My solution simply replaces the JSF view ID in the HTTP tag with the
>
> > mapped page URL. This saves a redirect on validation, and also when you
wish
>
> > to redisplay the same page. (it also provides some other nice features,
but
>
> > those aren't really important in what's different between it and Seam)
>
> >
>
> > My source is available here and is licensed under the GPL3. Most of
what I
>
> > think you'd be interested in will be in the PrettyViewHandler class,
which
>
> > is ... simple. Have at it.
>
> > http://ocpsoft.com/prettyfaces
>
> >
>
> > Let me know if you have any questions.
>
> > Thanks,
>
> > Lincoln
>
> >
>
> >
---------------------------------------------------------------------------------------------------------------------
>
> >
>
> > There is a URL rewrite filter that was introduced in Seam 2.1 to
>
> >
>
> > accomplish roughly the same thing, which was implemented by Norman.
>
> > Taking a hint from JAX-RS, it's possible to define a pretty URL for a
>
> > view ID in the page descriptor that transposes path info into request
>
> > parameters.
>
> >
>
> > Example 1:
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > Example 2:
>
> >
>
> >
>
> >
>
> >
>
> >
> > value="#{blogEntry.id}"/>
>
> >
>
> >
>
> >
>
> >
>
> > So if anything, we likely want to look at what discrepancies remain
>
> > between the rewrite filter can do and what this guy is proposing.
>
> > Norman?
>
> >
>
> > -Dan
>
> >
>
> > On Thu, Nov 13, 2008 at 3:07 PM, Gavin King wrote:
>
> >> http://ocpsoft.com/uncategorized/jsf-get-bookmarkable-and-pretty-urls/
>
> >>
>
> >> Not sure what exactly they are doing, but perhaps we should steal
>
> >> code? Not sure...
>
> >>
>
> >> --
>
> >> Gavin King
>
> >> gavin.king at gmail.com
>
> >> http://in.relation.to/Bloggers/Gavin
>
> >> http://hibernate.org
>
> >> http://seamframework.org
>
> >> _______________________________________________
>
> >> seam-dev mailing list
>
> >> seam-dev at lists.jboss.org
>
> >> https://lists.jboss.org/mailman/listinfo/seam-dev
>
> >>
>
> >
>
> >
>
> >
>
> > --
>
> > Dan Allen
>
> > Software consultant | Author of Seam in Action
>
> >
>
> > http://mojavelinux.com
>
> > http://mojavelinux.com/seaminaction
>
> >
>
> > NOTE: While I make a strong effort to keep up with my email on a daily
>
> > basis, personal or other work matters can sometimes keep me away
>
> > from my email. If you contact me, but don't hear back for more than a
week,
>
> > it is very likely that I am excessively backlogged or the message was
>
> > caught in the spam filters. Please don't hesitate to resend a message if
>
> > you feel that it did not reach my attention.
>
> >
>
>
>
>
>
>
>
> --
>
> Gavin King
>
> gavin.king(a)gmail.com
>
> http://in.relation.to/Bloggers/Gavin
>
> http://hibernate.org
>
> http://seamframework.org
>
17 years, 1 month
Re: [seam-dev] Can someone please take a look a this
by Lincoln Baxter, III
Hi Guys,
I'm the author of the PrettyFaces extension. I just thought I would
provide some explanation.
Currently, if you wish to create bookmarkable URLs in Seam, when you
submit a form with validation that fails, the form URL will display the
JSF view ID (eg. /faces/store/buy.jsf), at this point Seam will have to
send a redirect to the browser to redirect them back to the proper URL
(eg. /store/buy). This is alright, but it causes wasted bandwidth,
increased client wait time, and extra CPU usage. On a high-load system,
this can matter a lot.
My solution simply replaces the JSF view ID in the HTTP <form> tag with
the mapped page URL. This saves a redirect on validation, and also when
you wish to redisplay the same page. (it also provides some other nice
features, but those aren't really important in what's different between
it and Seam)
My source is available here and is licensed under the GPL3. Most of what
I think you'd be interested in will be in the PrettyViewHandler class,
which is ... simple. Have at it.
http://ocpsoft.com/prettyfaces
Let me know if you have any questions.
Thanks,
Lincoln
---------------------------------------------------------------------------------------------------------------------
There is a URL rewrite filter that was introduced in Seam 2.1 to
accomplish roughly the same thing, which was implemented by Norman.
Taking a hint from JAX-RS, it's possible to define a pretty URL for a
view ID in the page descriptor that transposes path info into request
parameters.
Example 1:
<page view-id="/search.xhtml">
<rewrite pattern="/search/{searchPattern}"/>
<rewrite pattern="/search"/>
<param name="searchPattern" value="#{searchService.searchPattern}"/>
</page>
Example 2:
<page view-id="/entry.xhtml">
<rewrite pattern="/entry/{blogEntryId}" />
<rewrite pattern="/entry" />
<param name="blogEntryId"
value="#{blogEntry.id}"/>
<action execute="#{entryAction.loadBlogEntry(blogEntry.id)}"/>
</page>
So if anything, we likely want to look at what discrepancies remain
between the rewrite filter can do and what this guy is proposing.
Norman?
-Dan
On Thu, Nov 13, 2008 at 3:07 PM, Gavin King <gavin at hibernate.org> wrote:
> http://ocpsoft.com/uncategorized/jsf-get-bookmarkable-and-pretty-urls/
>
> Not sure what exactly they are doing, but perhaps we should steal
> code? Not sure...
>
> --
> Gavin King
> gavin.king at gmail.com
> http://in.relation.to/Bloggers/Gavin
> http://hibernate.org
> http://seamframework.org
> _______________________________________________
> seam-dev mailing list
> seam-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/seam-dev
>
--
Dan Allen
Software consultant | Author of Seam in Action
http://mojavelinux.com
http://mojavelinux.com/seaminaction
NOTE: While I make a strong effort to keep up with my email on a daily
basis, personal or other work matters can sometimes keep me away
from my email. If you contact me, but don't hear back for more than a week,
it is very likely that I am excessively backlogged or the message was
caught in the spam filters. Please don't hesitate to resend a message if
you feel that it did not reach my attention.
17 years, 1 month
Seam release testing complete
by Jay Balunas
All release testing has been completed, and no blockers or major
issues found! Jira's for the minor issues found are being
investigated and entered.
The final release steps can begin - I believe Norman will be working
that.
Thanks,
Jay and Jozef
17 years, 1 month
