[seam-dev] Fwd: JSF security issue

Lincoln Baxter, III lincolnbaxter at gmail.com
Wed Jun 9 11:06:13 EDT 2010


Yeah - Just saw that this morning. I'd like to see a way to implement this
for ALL pages, not requiring a custom tag. I believe this could be done
easily using the PreRenderViewEvent to add a hidden form field to store the
token in all outbound forms, then use a phase-listener after Restore_View,
comparing the request parameter to the restored component value. Very
similar to the <s:token> component, but as a global solution that could be
enabled/disabled via XML config.

Thoughts?
Lincoln

On Wed, Jun 9, 2010 at 10:49 AM, Dan Allen <dan.j.allen at gmail.com> wrote:

> On Wed, Jun 9, 2010 at 7:25 AM, Stuart Douglas <
> stuart at baileyroberts.com.au> wrote:
>
>>
>> It looks like this only affects apps that use encrypted client side state
>> saving?
>>
>
> Client-side state saving is extremely vulnerable to security hacks,
> something Christian and I have discussed extensively. The problem is, with
> client-side scripting, all the trust is on the client. You've got to have
> something on the server (or some other trust provider) to cross reference
> the request or else you are just asking for trouble.
>
> That's a lot of what the s:token tag is about...which we will be reviewing
> soon as we bring it into Seam 3.
>
>
> http://seamframework.org/Community/NewComponentTagStokenAimedToGuardAgainstCSRF
> http://seamframework.org/Documentation/CrossSiteRequestForgery
>
> -Dan
>
> --
> Dan Allen
> Senior Software Engineer, Red Hat | Author of Seam in Action
> Registered Linux User #231597
>
> http://mojavelinux.com
> http://mojavelinux.com/seaminaction
> http://www.google.com/profiles/dan.j.allen
>
> _______________________________________________
> seam-dev mailing list
> seam-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/seam-dev
>
>


-- 
Lincoln Baxter, III
http://ocpsoft.com
http://scrumshark.com
"Keep it Simple"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/seam-dev/attachments/20100609/a40ca651/attachment.html 


More information about the seam-dev mailing list