12:15 a.m.
Client side state saving CSRF protection
----------------------------------------
Key: JBSEAM-4076
URL: https://jira.jboss.org/jira/browse/JBSEAM-4076
Project: Seam
Issue Type: Patch
Reporter: Stuart Douglas
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:17 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Updated: (JBSEAM-4076) Client side state saving CSRF protection
[
https://jira.jboss.org/jira/browse/JBSEAM-4076?page=com.atlassian.jira.pl...
]
Stuart Douglas updated JBSEAM-4076:
-----------------------------------
Attachment: tokenCdkTag.diff
clientSideProtection.patch
bookingExampleUsingToken.diff
3 patches:
CSRF protection prototype using a session scoped token store
CDK tag for facelets
booking register page using the s:token
Client side state saving CSRF protection
----------------------------------------
Key: JBSEAM-4076
URL: https://jira.jboss.org/jira/browse/JBSEAM-4076
Project: Seam
Issue Type: Patch
Reporter: Stuart Douglas
Attachments: bookingExampleUsingToken.diff, clientSideProtection.patch,
tokenCdkTag.diff
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:26 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-4076) Client side state saving CSRF protection
[
https://jira.jboss.org/jira/browse/JBSEAM-4076?page=com.atlassian.jira.pl...
]
Stuart Douglas commented on JBSEAM-4076:
----------------------------------------
The way the patch works is if a user installs <security:render-stamp-store/> then
rather than being stored in the view root, render stamps are stored in the session scoped
RenderStampStore, and the key to access the render stamp is stored in the view root
instead.
Client side state saving CSRF protection
----------------------------------------
Key: JBSEAM-4076
URL: https://jira.jboss.org/jira/browse/JBSEAM-4076
Project: Seam
Issue Type: Patch
Reporter: Stuart Douglas
Attachments: bookingExampleUsingToken.diff, clientSideProtection.patch,
tokenCdkTag.diff
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
7:55 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Assigned: (JBSEAM-4076) Client side state saving CSRF protection
[
https://jira.jboss.org/jira/browse/JBSEAM-4076?page=com.atlassian.jira.pl...
]
Pete Muir reassigned JBSEAM-4076:
---------------------------------
Assignee: Dan Allen
Client side state saving CSRF protection
----------------------------------------
Key: JBSEAM-4076
URL: https://jira.jboss.org/jira/browse/JBSEAM-4076
Project: Seam
Issue Type: Patch
Reporter: Stuart Douglas
Assignee: Dan Allen
Attachments: bookingExampleUsingToken.diff, clientSideProtection.patch,
tokenCdkTag.diff
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6:02 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-4076) Client side state saving CSRF protection
[
https://jira.jboss.org/jira/browse/JBSEAM-4076?page=com.atlassian.jira.pl...
]
Dan Allen commented on JBSEAM-4076:
-----------------------------------
I should clarify that this patch doesn't provide CSRF protection when using
client-side state saving. That has already been guaranteed by the <s:token> design.
What this patch provides is protection against a double form submit when using client-side
state saving. It transfers control of the render stamp to the server so that it is
possible to clear this value after the first submit. When the render stamp is stored in
the view root with client-side state saving, there is no way to clear the value (since it
is being delivered by the client each time).
Client side state saving CSRF protection
----------------------------------------
Key: JBSEAM-4076
URL: https://jira.jboss.org/jira/browse/JBSEAM-4076
Project: Seam
Issue Type: Patch
Reporter: Stuart Douglas
Assignee: Dan Allen
Attachments: bookingExampleUsingToken.diff, clientSideProtection.patch,
tokenCdkTag.diff
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6:04 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Updated: (JBSEAM-4076) Client side state saving CSRF protection
[
https://jira.jboss.org/jira/browse/JBSEAM-4076?page=com.atlassian.jira.pl...
]
Dan Allen updated JBSEAM-4076:
------------------------------
Component/s: JSF Controls
Fix Version/s: 2.1.2.CR1
Affects Version/s: 2.1.0.SP1
Client side state saving CSRF protection
----------------------------------------
Key: JBSEAM-4076
URL: https://jira.jboss.org/jira/browse/JBSEAM-4076
Project: Seam
Issue Type: Patch
Components: JSF Controls
Affects Versions: 2.1.0.SP1
Reporter: Stuart Douglas
Assignee: Dan Allen
Fix For: 2.1.2.CR1
Attachments: bookingExampleUsingToken.diff, clientSideProtection.patch,
tokenCdkTag.diff
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6:06 p.m.
New subject: [jbossseam-issues] [JBoss JIRA] Resolved: (JBSEAM-4076) Client side state saving CSRF protection
[
https://jira.jboss.org/jira/browse/JBSEAM-4076?page=com.atlassian.jira.pl...
]
Dan Allen resolved JBSEAM-4076.
-------------------------------
Resolution: Done
Client side state saving CSRF protection
----------------------------------------
Key: JBSEAM-4076
URL: https://jira.jboss.org/jira/browse/JBSEAM-4076
Project: Seam
Issue Type: Patch
Components: JSF Controls
Affects Versions: 2.1.0.SP1
Reporter: Stuart Douglas
Assignee: Dan Allen
Fix For: 2.1.2.CR1
Attachments: bookingExampleUsingToken.diff, clientSideProtection.patch,
tokenCdkTag.diff
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
8:21 a.m.
New subject: [JBoss JIRA] Closed: (JBSEAM-4076) Client side state saving CSRF protection
[
https://jira.jboss.org/jira/browse/JBSEAM-4076?page=com.atlassian.jira.pl...
]
Pete Muir closed JBSEAM-4076.
-----------------------------
Client side state saving CSRF protection
----------------------------------------
Key: JBSEAM-4076
URL: https://jira.jboss.org/jira/browse/JBSEAM-4076
Project: Seam
Issue Type: Patch
Components: JSF Controls
Affects Versions: 2.1.0.SP1
Reporter: Stuart Douglas
Assignee: Dan Allen
Fix For: 2.1.2.CR1
Attachments: bookingExampleUsingToken.diff, clientSideProtection.patch,
tokenCdkTag.diff
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5451
days inactive
5745
days old
7 comments
3 participants
participants (3)
-
Dan Allen (JIRA) -
Pete Muir (JIRA)
-
Stuart Douglas (JIRA)