July 2009 - seam-issues - Jboss List Archives

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-4007) Provide an <s:token> UI component to secure JSF forms against cross-site request forgery (XSRF)

by Dan Allen (JIRA)

Provide an <s:token> UI component to secure JSF forms against cross-site request forgery (XSRF) ----------------------------------------------------------------------------------------------- Key: JBSEAM-4007 URL: https://jira.jboss.org/jira/browse/JBSEAM-4007 Project: Seam Issue Type: Feature Request Components: JSF Controls Affects Versions: 2.1.1.GA Reporter: Dan Allen Fix For: 2.1.2.GA Introduce the UI component tag <s:token> to secure JSF form posts against cross-site request forgery (XSRF) attacks. Please note that if the solution below is implemented in JSF 2, then Seam does not need to provide a custom solution and this issue can be closed. However, we still need to implement something equivalent for Seam Remoting. The problem today is that when using client-side state saving, a form POST can be crafted (forged) to submit into a JSF application from an external site (cross-site). The serialized view is simply passed in the javax.faces.ViewState parameter. JSF will blindly recreate the view and process the request. Server-side state saving is equally insecure since all the forged POST has to do is provide the identifier of the view state on the server in the javax.faces.ViewState parameter. Actually, this is only a problem since JSF generates sequential identifiers per session in the form j_id + # of views in session. Server-side state saving becomes event more problematic in JSF 2.0 since Facelets' "build during restore" feature is enabled by default. In this case, the javax.faces.ViewState parameter isn't even required since JSF will recreate the view before processing the request. The <s:token> UI component will perform two steps. First, it will assign a unique identifier to the browser using a cookie that lives until the end of the browser session. This is roughly the browser's private key. The <s:token> tag is used inside of an <h:form> and generates a hidden form field named javax.faces.FormSignature. The form signature is calculated as follows: sha1( signature = viewId + "," + formClientId, salt = clientUid ) The developer can also choose to incorporate the session id into this hash for a more secure token (at the cost of binding it to the session) sha1( signature = viewId + "," + formClientId + "," + sessionId, salt = clientUid ) When the form is submitted, the hash is recreated and compared against the value of the javax.faces.FormSignature parameter. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

14 years, 11 months

2
4
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-4066) captureCurrentView on redirect should capture all request parameters

by Dan Allen (JIRA)

captureCurrentView on redirect should capture all request parameters -------------------------------------------------------------------- Key: JBSEAM-4066 URL: https://jira.jboss.org/jira/browse/JBSEAM-4066 Project: Seam Issue Type: Bug Affects Versions: 2.1.1.GA Reporter: Dan Allen Assignee: Dan Allen Fix For: 2.2.0.CR1 Attachments: JBSEAM-4066-trunk-v1.txt When the captureCurrentRequest() method was deprecated and replaced by captureCurrentView(), the behavior changed such that page parameters were being saved instead of request parameters. I'm fine with the idea of preserving page parameters based on how they were bound to the model on the way into the page, but I also think that arbitrary request parameters need to be captured. Otherwise, the redirect back to the current view will in many cases be incomplete and thus fail. The logic I propose is to capture the request parameters and then override the values with the values from the page parameters (giving page parameters the precedence). However, long term, we should also consider the fact that multi-value parameters are not being preserved. Likely they should be captured as well, but there is a lack of infrastructure to support them. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

14 years, 11 months

3
4
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-4065) Dynamic Web Project with Seam in Eclipse defaults to old version rather than newer version

by Jeff Wexler (JIRA)

Dynamic Web Project with Seam in Eclipse defaults to old version rather than newer version ------------------------------------------------------------------------------------------ Key: JBSEAM-4065 URL: https://jira.jboss.org/jira/browse/JBSEAM-4065 Project: Seam Issue Type: Bug Components: Tools Affects Versions: 2.1.1.GA Environment: Windows 2003 server, 4GB memory, eclipse-jee-ganymede-SR2-win32.zip, JBossTools-ALL-win32-3.0.0.GA-R200903141626-H5.zip, PostgreSQL 8.3.7 JDBC Driver 8.3-604.jdbc4 Reporter: Jeff Wexler Priority: Minor Created a new project with configuration of Dynamic Web Project with Seam 2.1 (technology preview). Then select New project again to create another seam project. Configuration defaults to Dynamic Web Project with Seam 1.2 rather than 2.0 or 2.1. I would assume that the default should be to either the previously selected one (2.1) or to one of the later versions (2.0 or 2.1). -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

14 years, 11 months

3
3
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-4052) correct the meaning of debug mode

by Dan Allen (JIRA)

correct the meaning of debug mode --------------------------------- Key: JBSEAM-4052 URL: https://jira.jboss.org/jira/browse/JBSEAM-4052 Project: Seam Issue Type: Feature Request Components: Core Affects Versions: 2.1.1.GA Reporter: Dan Allen Assignee: Dan Allen Fix For: 2.1.2.CR1 It's not entirely clear what debug mode means in Seam. On the one hand, it activates the hot deploy filter. On the other hand, it activates the Seam debug page. The reality is, these should be different settings. There may be other uses of debug mode as well and these should be clearly defined and cataloged in the documentation. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

14 years, 11 months

2
2
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3987) Integrate RESTEasy with Seam Application fwk for easy CRUD

by Christian Bauer (JIRA)

Integrate RESTEasy with Seam Application fwk for easy CRUD ---------------------------------------------------------- Key: JBSEAM-3987 URL: https://jira.jboss.org/jira/browse/JBSEAM-3987 Project: Seam Issue Type: Feature Request Components: WS Reporter: Christian Bauer Assignee: Jozef Hartinger Similar to what RoR is offering: Allow developers to declaratively map entities for CRUD through RESTful GET/POST/DELETE/PUT requests with customizable resource URI generation strategy. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

14 years, 11 months

3
5
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3907) Exclude build directories in generated IntelliJ IDEA project

by Pawel Wrzeszcz (JIRA)

Exclude build directories in generated IntelliJ IDEA project ------------------------------------------------------------ Key: JBSEAM-3907 URL: https://jira.jboss.org/jira/browse/JBSEAM-3907 Project: Seam Issue Type: Patch Components: Tools Affects Versions: 2.1.1.GA Reporter: Pawel Wrzeszcz Assignee: Dan Allen Priority: Minor Directories 'dist' and 'exploded-archives' should be marked as excluded in the IntelliJ IDEA module file created by seam-gen. I realize this is minor, but saves a couple of clicks and prevents IDEA from 1) reloading a whole project during the build and 2) detecting facets in the build directories. Really short path attached. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

14 years, 11 months

3
4
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3933) Sibling inner class wicket component injection conflict

by Clint Popetz (JIRA)

Sibling inner class wicket component injection conflict ------------------------------------------------------- Key: JBSEAM-3933 URL: https://jira.jboss.org/jira/browse/JBSEAM-3933 Project: Seam Issue Type: Bug Components: Wicket Affects Versions: 2.1.1.GA Reporter: Clint Popetz Assignee: Clint Popetz Fix For: 2.1.2.CR1 In a class hierarchy such as this: class Page { @In Needed needed; Page() { add(new ListView("foo") { /* anonymous...*/ }); add(new ListView("bar") { /* anonymous...*/ }); } } if "foo" makes reference to "bar", or vice versa, the injection of "needed" will be trampled upon, because we don't update the reentrancy count of the enclosing instance when injection/disinjecting. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

14 years, 11 months

2
3
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3997) Need to document on-postback flag for page actions

by Nate Ridderman (JIRA)

Need to document on-postback flag for page actions -------------------------------------------------- Key: JBSEAM-3997 URL: https://jira.jboss.org/jira/browse/JBSEAM-3997 Project: Seam Issue Type: Sub-task Components: Documentation Issues Affects Versions: 2.1.1.CR1 Reporter: Nate Ridderman Priority: Minor Bug 2469 introduced a new flag for page actions. This isn't documented in the reference manual. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

14 years, 11 months

4
4
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3827) seam-gen setup and create-project with support for individual JBoss domain

by Stephan Heffner (JIRA)

seam-gen setup and create-project with support for individual JBoss domain -------------------------------------------------------------------------- Key: JBSEAM-3827 URL: https://jira.jboss.org/jira/browse/JBSEAM-3827 Project: Seam Issue Type: Patch Components: Build Affects Versions: 2.1.1.CR2 Reporter: Stephan Heffner Priority: Optional Attachments: jboss-seam-gen-domain.patch I'll attach a small patch to support a user defined value of JBoss version and domain. Predefined values are 'default' or 'standard' (Version 5.x). Maybe it's useful for others as well. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

14 years, 11 months

3
6
0 / 0

[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-3854) seam-gen test fails if there is a space in the path to the project

by Jay Balunas (JIRA)

seam-gen test fails if there is a space in the path to the project ------------------------------------------------------------------ Key: JBSEAM-3854 URL: https://jira.jboss.org/jira/browse/JBSEAM-3854 Project: Seam Issue Type: Bug Components: Core Affects Versions: 2.1.1.GA Environment: Windows XP JDK 5 Reporter: Jay Balunas Fix For: 2.1.2.CR1 If there is a space in the path to seam-gen project and you attempt to execute "seam test" you will see an exception like the one below. ERROR [org.jboss.kernel.plugins.dependency.AbstractKernelController] Error installing to Parse: name=vfsfile:/C:/dev/projects/seam/2.1.1.GA/seam%20gen/seamGenEar/bootstrap/deploy/jboss-local-jdbc.rar state=Not Installed mode=Manual requiredState=Parse org.jboss.deployers.spi.DeploymentException: Error parsing meta data jboss-local-jdbc.rar/META-INF/ra.xml at org.jboss.deployers.spi.DeploymentException.rethrowAsDeploymentException(DeploymentException.java:49) at org.jboss.deployers.vfs.spi.deployer.ObjectModelFactoryDeployer.parse(ObjectModelFactoryDeployer.java:124) at org.jboss.deployers.vfs.spi.deployer.AbstractVFSParsingDeployer.parse(AbstractVFSParsingDeployer.java:86) at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.createMetaData(AbstractParsingDeployerWithOutput.java:223) at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.createMetaData(AbstractParsingDeployerWithOutput.java:199) at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.deploy(AbstractParsingDeployerWithOutput.java:162) at org.jboss.deployers.plugins.deployers.DeployerWrapper.deploy(DeployerWrapper.java:169) at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:853) at org.jboss.deployers.plugins.deployers.DeployersImpl.install(DeployersImpl.java:794) at org.jboss.dependency.plugins.AbstractControllerContext.install(AbstractControllerContext.java:327) at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:1309) at org.jboss.dependency.plugins.AbstractController.incrementState(AbstractController.java:734) at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:862) at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:784) at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:622) at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:411) at org.jboss.deployers.plugins.deployers.DeployersImpl.process(DeployersImpl.java:498) at org.jboss.deployers.plugins.main.MainDeployerImpl.process(MainDeployerImpl.java:506) at org.jboss.embedded.DeploymentScanner.start(DeploymentScanner.java:105) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.jboss.reflect.plugins.introspection.ReflectionUtils.invoke(ReflectionUtils.java:56) at org.jboss.reflect.plugins.introspection.ReflectMethodInfoImpl.invoke(ReflectMethodInfoImpl.java:110) at org.jboss.joinpoint.plugins.BasicMethodJoinPoint.dispatch(BasicMethodJoinPoint.java:66) at org.jboss.kernel.plugins.dependency.KernelControllerContextAction$JoinpointDispatchWrapper.execute(KernelControllerContextAction.java:214) at org.jboss.kernel.plugins.dependency.ExecutionWrapper.execute(ExecutionWrapper.java:45) at org.jboss.kernel.plugins.dependency.KernelControllerContextAction.dispatchExecutionWrapper(KernelControllerContextAction.java:108) at org.jboss.kernel.plugins.dependency.KernelControllerContextAction.dispatchJoinPoint(KernelControllerContextAction.java:69) at org.jboss.kernel.plugins.dependency.LifecycleAction.installActionInternal(LifecycleAction.java:221) at org.jboss.kernel.plugins.dependency.KernelControllerContextAction.installAction(KernelControllerContextAction.java:135) at org.jboss.kernel.plugins.dependency.KernelControllerContextAction.installAction(KernelControllerContextAction.java:46) at org.jboss.dependency.plugins.action.SimpleControllerContextAction.simpleInstallAction(SimpleControllerContextAction.java:62) at org.jboss.dependency.plugins.action.AccessControllerContextAction.install(AccessControllerContextAction.java:71) at org.jboss.dependency.plugins.AbstractControllerContextActions.install(AbstractControllerContextActions.java:51) at org.jboss.dependency.plugins.AbstractControllerContext.install(AbstractControllerContext.java:327) at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:1309) at org.jboss.dependency.plugins.AbstractController.incrementState(AbstractController.java:734) at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:862) at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:784) at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:574) at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:398) at org.jboss.kernel.plugins.deployment.AbstractKernelDeployer.deployBean(AbstractKernelDeployer.java:309) at org.jboss.kernel.plugins.deployment.AbstractKernelDeployer.deployBeans(AbstractKernelDeployer.java:279) at org.jboss.kernel.plugins.deployment.AbstractKernelDeployer.deploy(AbstractKernelDeployer.java:130) at org.jboss.kernel.plugins.deployment.xml.BeanXMLDeployer.deploy(BeanXMLDeployer.java:96) at org.jboss.embedded.Bootstrap.deployBaseBootstrapUrl(Bootstrap.java:130) at org.jboss.embedded.Bootstrap.bootstrapURL(Bootstrap.java:142) at org.jboss.embedded.Bootstrap.bootstrap(Bootstrap.java:183) at org.jboss.embedded.Bootstrap.bootstrap(Bootstrap.java:195) at org.jboss.seam.mock.EmbeddedBootstrap.startAndDeployResources(EmbeddedBootstrap.java:11) at org.jboss.seam.mock.AbstractSeamTest.startJbossEmbeddedIfNecessary(AbstractSeamTest.java:1024) at org.jboss.seam.mock.AbstractSeamTest.startSeam(AbstractSeamTest.java:915) at org.jboss.seam.mock.SeamTest.startSeam(SeamTest.java:58) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.testng.internal.MethodHelper.invokeMethod(MethodHelper.java:604) at org.testng.internal.Invoker.invokeConfigurationMethod(Invoker.java:394) at org.testng.internal.Invoker.invokeConfigurations(Invoker.java:142) at org.testng.internal.Invoker.invokeConfigurations(Invoker.java:79) at org.testng.SuiteRunner.privateRun(SuiteRunner.java:261) at org.testng.SuiteRunner.run(SuiteRunner.java:190) at org.testng.TestNG.createAndRunSuiteRunners(TestNG.java:792) at org.testng.TestNG.runSuitesLocally(TestNG.java:765) at org.testng.TestNG.run(TestNG.java:699) at org.testng.TestNG.privateMain(TestNG.java:824) at org.testng.TestNG.main(TestNG.java:802) Caused by: org.jboss.xb.binding.JBossXBException: Failed to parse source: vfsfile:/C:/dev/projects/seam/2.1.1.GA/seam gen/seamGenEar/bootstrap/deploy/jboss-local-jdbc.rar/META-INF/ra.xml at org.jboss.xb.binding.parser.sax.SaxJBossXBParser.parse(SaxJBossXBParser.java:177) at org.jboss.xb.binding.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:186) at org.jboss.deployers.vfs.spi.deployer.ObjectModelFactoryDeployer.parse(ObjectModelFactoryDeployer.java:120) ... 68 more Caused by: java.io.FileNotFoundException: File does not exist: C:\dev\projects\seam\2.1.1.GA\seam%20gen at org.jboss.virtual.plugins.context.file.FileSystemContext.createVirtualFileHandler(FileSystemContext.java:249) at org.jboss.virtual.plugins.context.file.FileSystemContext.createVirtualFileHandler(FileSystemContext.java:186) at org.jboss.virtual.plugins.context.file.FileHandler.createChildHandler(FileHandler.java:216) at org.jboss.virtual.plugins.context.AbstractVirtualFileHandler.structuredFindChild(AbstractVirtualFileHandler.java:291) at org.jboss.virtual.plugins.context.file.FileHandler.findChild(FileHandler.java:199) at org.jboss.virtual.plugins.context.AbstractVFSContext.findChild(AbstractVFSContext.java:118) at org.jboss.virtual.VFS.findChild(VFS.java:205) at org.jboss.virtual.plugins.vfs.VirtualFileURLConnection.resolveCachedVirtualFile(VirtualFileURLConnection.java:90) at org.jboss.virtual.plugins.vfs.VirtualFileURLConnection.getVirtualFile(VirtualFileURLConnection.java:105) at org.jboss.virtual.plugins.vfs.VirtualFileURLConnection.getInputStream(VirtualFileURLConnection.java:117) at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source) at org.apache.xerces.impl.XMLVersionDetector.determineDocVersion(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source) at org.jboss.xb.binding.parser.sax.SaxJBossXBParser.parse(SaxJBossXBParser.java:173) ... 70 more -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

14 years, 11 months

3
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

seam-issues July 2009