[seam-dev] Fwd: JSF security issue
Dan Allen
dan.j.allen at gmail.com
Wed Jun 9 11:09:28 EDT 2010
On Wed, Jun 9, 2010 at 11:06 AM, Lincoln Baxter, III <
lincolnbaxter at gmail.com> wrote:
> Yeah - Just saw that this morning. I'd like to see a way to implement this
> for ALL pages, not requiring a custom tag. I believe this could be done
> easily using the PreRenderViewEvent to add a hidden form field to store the
> token in all outbound forms, then use a phase-listener after Restore_View,
> comparing the request parameter to the restored component value. Very
> similar to the <s:token> component, but as a global solution that could be
> enabled/disabled via XML config.
>
Global solution is good. In fact, it's even more secure since it solves the
"doh, I forgot to add the tag" security hole ;)
-Dan
--
Dan Allen
Senior Software Engineer, Red Hat | Author of Seam in Action
Registered Linux User #231597
http://mojavelinux.com
http://mojavelinux.com/seaminaction
http://www.google.com/profiles/dan.j.allen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/seam-dev/attachments/20100609/29910ac0/attachment.html
More information about the seam-dev
mailing list