Fwd: JSF security issue
by Shane Bryzak
Is this something that requires our attention?
-------- Original Message --------
Subject: JSF security issue
Date: Wed, 09 Jun 2010 06:52:04 -0400
From: Chris Bredesen <cbredesen(a)redhat.com>
To: jboss-support-jsf(a)redhat.com
Y'all see this yet?
-------- Original Message --------
Subject: FYI: JSF Known Issue
Date: Tue, 8 Jun 2010 11:35:41 -0400
From: Steve 'Ashcrow' Milner<smilner(a)redhat.com>
To: Chris Bredesen<cbredesen(a)redhat.com>
http://www.theregister.co.uk/2010/06/08/padding_oracle_attack_tool/
"The researchers tested the attack in JavaServer Faces implemented
into the Apache webserver, as well as Sun's Mojarra. They said many
other implementations are also likely to be vulnerable."
--
kthxbye!
Steve 'Ashcrow' Milner
Agent of Infosec
RHCE:
https://www.redhat.com/training/certification/verify/?certno=805009277242449
ITIL Foundation: c.721843
IRC: ashcrow
GnuPG ID: 28DFD4BE
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT/MU/O d-- s:+> a- C+++$ UBL+++$ P++@ L+++$>++++ !E--> W+++$ !N-
!o K--? !w-- !O- M- !V- PS PE+ Y+ PGP+++ t+ !5 !X R tv+ b+>++ DI+ !D-
G e h !r>+++ y?
------END GEEK CODE BLOCK------
"In the heat of conversation I may have said certain things I believe
to be untrue. The alleged lie that you might have heard me saying
allegedly moments ago ... that's a parasite that lives in my neck."
-- Tad Ghostal
13 years, 10 months
Stateless scope
by Stuart Douglas
I have been thinking about adding a stateless scope to weld extensions, that would allow for a similar construct to @Unwrap from seam 2. Basically if you have a Stateless producer method the the producer will be called every time a method on the proxy is invoked.
The main downside that I can see is that beans that have a stateless scope no longer have a well defined lifecycle, so disposal methods etc will not be called, however as long as this is documented I don't think that this is much of a problem.
Does this sound like a good idea?
Stuart
13 years, 10 months
@User global qualifier
by Ken Finnigan
All,
In the Seam i18n module we have @UserTimeZone and @UserLocale to
distinguish between application and user TimeZone or Locale instances
that are produced.
Given the name of these qualifiers also includes the type, it has
become apparent that this is both wordy and unnecessary.
As such, what are everyones thoughts on adding @User to Weld
Extensions that can then be utilised within all Seam modules for
similar purposes?
Regards
Ken
Sent from my iPhone
13 years, 10 months
Writing refguides for Seam 3 modules
by Pete Muir
All,
As we are aggregating the module reference guides into the main Seam reference guide, we need to be careful not to use overlapping ids. I suggest you namespace any ids you place in your guide with your modules "short name" (e.g. faces).
Pete
13 years, 11 months
Re: [seam-dev] Invalid field decorator
by Lincoln Baxter, III
Continuing on seam-dev:
It would technically be possible to alter the UIViewRoot during the
PreRenderViewEvent. But... explain to me again the benefit of doing this?
Not doubting you, just would like to know the end-value you are trying to
provide, since we already have UIInputContainer for building composite
components that can be used to decorate input fields.
--LB
On Thu, Jun 3, 2010 at 5:27 PM, Nicklas Karlsson <nickarls(a)gmail.com> wrote:
> (continuing from my brainstorming session with Lincoln on #seam-dev)
>
> Do you think it would be possible to have automatic invalid field
> decoration for the seam-faces module in the same style has
> Seam 2 had for s:decorate?
>
> you would place a
>
> <facet name="aroundInvalidField>
> html code with (perhaps) markers for the component and message
> </facet>
>
> on the page and then (in a phase listener?) check for components with
> messages and decorate them with the facet contents in the UIView somehow?
> Not sure how it fits the JSF lifecycle to go manipulate the tree at that
> point, though. But it would be handy to be able to do it without the
> s:decorate stuff.
>
> ---
> Nik
>
--
Lincoln Baxter, III
http://ocpsoft.com
http://scrumshark.com
"Keep it Simple"
13 years, 11 months
Seam3: Will injection become available with in final methods?
by Michael Schütz
Hi to all,
in Seam2, using injected member within final method will cause an NPE at
Runtime. The reason for that is, that Seam2 uses cglib for dynamic proxying
und subclassing is not possible for final methods.
Example:
@Name("simpleSeamComp")
public class SimpleSeamComponent {
public String getName() {
return "Sam";
}
}
@Name("finalSeamComp")
public class FinalSeamComponent {
@In(create = true)
private SimpleSeamComponent simpleSeamComp;
// causes NullPointerException
public final String getHello() {
return simpleSeamComp.getName();
}
}
How will Seam3/CDI behave in that case?
Thanks and regards
Michael
13 years, 11 months
