Re: [seam-dev] Fwd: JSF security issue
Yeah - Just saw that this morning. I'd like to see a way to implement this
for ALL pages, not requiring a custom tag. I believe this could be done
easily using the PreRenderViewEvent to add a hidden form field to store the
token in all outbound forms, then use a phase-listener after Restore_View,
comparing the request parameter to the restored component value. Very
similar to the <s:token> component, but as a global solution that could be
enabled/disabled via XML config.
Thoughts?
Lincoln
On Wed, Jun 9, 2010 at 10:49 AM, Dan Allen <dan.j.allen(a)gmail.com> wrote:
On Wed, Jun 9, 2010 at 7:25 AM, Stuart Douglas <
stuart(a)baileyroberts.com.au> wrote:
>
> It looks like this only affects apps that use encrypted client side state
> saving?
>
Client-side state saving is extremely vulnerable to security hacks,
something Christian and I have discussed extensively. The problem is, with
client-side scripting, all the trust is on the client. You've got to have
something on the server (or some other trust provider) to cross reference
the request or else you are just asking for trouble.
That's a lot of what the s:token tag is about...which we will be reviewing
soon as we bring it into Seam 3.
http://seamframework.org/Community/NewComponentTagStokenAimedToGuardAgain...
http://seamframework.org/Documentation/CrossSiteRequestForgery
-Dan
--
Dan Allen
Senior Software Engineer, Red Hat | Author of Seam in Action
Registered Linux User #231597
http://mojavelinux.com
http://mojavelinux.com/seaminaction
http://www.google.com/profiles/dan.j.allen
_______________________________________________
seam-dev mailing list
seam-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/seam-dev
--
Lincoln Baxter, III
http://ocpsoft.com
http://scrumshark.com
"Keep it Simple"
Attachments:
- attachment.html (text/html — 3.2 KB)