[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-4007) Provide an <s:token> UI component to secure JSF forms against cross-site request forgery (XSRF)
by Dan Allen (JIRA)
Provide an <s:token> UI component to secure JSF forms against cross-site request forgery (XSRF)
-----------------------------------------------------------------------------------------------
Key: JBSEAM-4007
URL: https://jira.jboss.org/jira/browse/JBSEAM-4007
Project: Seam
Issue Type: Feature Request
Components: JSF Controls
Affects Versions: 2.1.1.GA
Reporter: Dan Allen
Fix For: 2.1.2.GA
Introduce the UI component tag <s:token> to secure JSF form posts against cross-site request forgery (XSRF) attacks. Please note that if the solution below is implemented in JSF 2, then Seam does not need to provide a custom solution and this issue can be closed. However, we still need to implement something equivalent for Seam Remoting.
The problem today is that when using client-side state saving, a form POST can be crafted (forged) to submit into a JSF application from an external site (cross-site). The serialized view is simply passed in the javax.faces.ViewState parameter. JSF will blindly recreate the view and process the request.
Server-side state saving is equally insecure since all the forged POST has to do is provide the identifier of the view state on the server in the javax.faces.ViewState parameter. Actually, this is only a problem since JSF generates sequential identifiers per session in the form j_id + # of views in session.
Server-side state saving becomes event more problematic in JSF 2.0 since Facelets' "build during restore" feature is enabled by default. In this case, the javax.faces.ViewState parameter isn't even required since JSF will recreate the view before processing the request.
The <s:token> UI component will perform two steps. First, it will assign a unique identifier to the browser using a cookie that lives until the end of the browser session. This is roughly the browser's private key. The <s:token> tag is used inside of an <h:form> and generates a hidden form field named javax.faces.FormSignature. The form signature is calculated as follows:
sha1( signature = viewId + "," + formClientId, salt = clientUid )
The developer can also choose to incorporate the session id into this hash for a more secure token (at the cost of binding it to the session)
sha1( signature = viewId + "," + formClientId + "," + sessionId, salt = clientUid )
When the form is submitted, the hash is recreated and compared against the value of the javax.faces.FormSignature parameter.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
14 years, 11 months
[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-4014) cannot configure max age of remember me cookie
by Dan Allen (JIRA)
cannot configure max age of remember me cookie
----------------------------------------------
Key: JBSEAM-4014
URL: https://jira.jboss.org/jira/browse/JBSEAM-4014
Project: Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.1.1.GA
Reporter: Dan Allen
Fix For: 2.1.2.CR1
The configuration for the max age of the remember me cookie got totally messed up. First, the definition of the rememberMe element is missing from security-2.1.xsd. Second, the cookieMaxAge is no longer reachable through the configuration of the rememberMe component. Finally, there is a completely bogus definition of the facesSecurityEvents element, which claims to have a cookie-max-age attribute, when it has no corresponding property.
To fix this, there needs to be a cookieMaxAge property on the rememberMe component and the security-2.1.xsd file needs to be updated.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
14 years, 11 months