[jsr-314-open-mirror] [jsr-314-open] [Spec-869-Specify CSRF Solution] PROPOSAL(s)
Andy Schwartz
andy.schwartz at oracle.com
Tue Oct 26 15:51:54 EDT 2010
Hey Kito -
On 10/26/10 3:48 PM, Kito Mann wrote:
> Perhaps I missed it earlier in the thread, but why?
Alexander raised some concerns here:
http://lists.jboss.org/pipermail/jsr-314-open-mirror/2010-October/000410.html
In particular, this has me worried:
> c) For token encoded as url parameter this proposal protects whole
> application, so no one can either got logged in to protected site
> because of circular dependencies: to open login page, visitor has to
> have secure token, which one he can get only from JSF login page...
> There should be per-page security configuration.
I explained my concerns in more detail here:
http://lists.jboss.org/pipermail/jsr-314-open-mirror/2010-October/000499.html
> And what would you propose?
>
>
I don't have a concrete proposal just yet, but I think we need to look
at enabling this at a finer-level, eg. per page or for a collection
pages, perhaps identified by a prefix.
Andy
More information about the jsr-314-open-mirror
mailing list