Re: [seam-dev] Fwd: JSF security issue

Next question - what is our Crypto library of choice? On Wed, Jun 9, 2010 at 11:09 AM, Dan Allen <dan.j.allen(a)gmail.com&gt; wrote: > On Wed, Jun 9, 2010 at 11:06 AM, Lincoln Baxter, III < > lincolnbaxter(a)gmail.com&gt; wrote: > >> Yeah - Just saw that this morning. I'd like to see a way to implement >> this for ALL pages, not requiring a custom tag. I believe this could be done >> easily using the PreRenderViewEvent to add a hidden form field to store the >> token in all outbound forms, then use a phase-listener after Restore_View, >> comparing the request parameter to the restored component value. Very >> similar to the <s:token> component, but as a global solution that could be >> enabled/disabled via XML config. >> > > Global solution is good. In fact, it's even more secure since it solves > the "doh, I forgot to add the tag" security hole ;) > > -Dan > > -- > Dan Allen > Senior Software Engineer, Red Hat | Author of Seam in Action > Registered Linux User #231597 > > http://mojavelinux.com > http://mojavelinux.com/seaminaction > http://www.google.com/profiles/dan.j.allen > -- Lincoln Baxter, III http://ocpsoft.com http://scrumshark.com "Keep it Simple"