[seam-dev] Re: Adding a security audit to the Seam QA (release) process

[Dan Allen]

>
>
> I'd be interested in feedback especially from Shane, who had some
> questions about Seam Remoting and CSRF. I tried to explain it and show
> why/how we have some missing features in this area. I think we need to
> do something about it - like per-request tokens. However, we might
> want to expand this feature as a general CSRF solution that also works
> with the REST request processing, for example. (And Wicket forms?)


This feel off the back of the truck over the holiday break. Thanks for
rekindling.


>
> Dan, if you could add the current status of "stateless" view
> processing in JSF 2.0 to the CSRF page, we can go from there and draft
> some recommendations for users.


Every time I visit the JSF EG mailing list, this issue crosses my mind. I
will add it to my agenda.

-- 
Dan Allen
Senior Software Engineer, Red Hat | Author of Seam in Action

http://mojavelinux.com
http://mojavelinux.com/seaminaction

NOTE: While I make a strong effort to keep up with my email on a daily
basis, personal or other work matters can sometimes keep me away
from my email. If you contact me, but don't hear back for more than a week,
it is very likely that I am excessively backlogged or the message was
caught in the spam filters.  Please don't hesitate to resend a message if
you feel that it did not reach my attention.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/seam-dev/attachments/20090302/2472dc28/attachment.html