[seam-dev] Fwd: JSF security issue
Lincoln Baxter, III
lincolnbaxter at gmail.com
Wed Jun 9 11:11:22 EDT 2010
Next question - what is our Crypto library of choice?
On Wed, Jun 9, 2010 at 11:09 AM, Dan Allen <dan.j.allen at gmail.com> wrote:
> On Wed, Jun 9, 2010 at 11:06 AM, Lincoln Baxter, III <
> lincolnbaxter at gmail.com> wrote:
>
>> Yeah - Just saw that this morning. I'd like to see a way to implement this
>> for ALL pages, not requiring a custom tag. I believe this could be done
>> easily using the PreRenderViewEvent to add a hidden form field to store the
>> token in all outbound forms, then use a phase-listener after Restore_View,
>> comparing the request parameter to the restored component value. Very
>> similar to the <s:token> component, but as a global solution that could be
>> enabled/disabled via XML config.
>>
>
> Global solution is good. In fact, it's even more secure since it solves the
> "doh, I forgot to add the tag" security hole ;)
>
> -Dan
>
> --
> Dan Allen
> Senior Software Engineer, Red Hat | Author of Seam in Action
> Registered Linux User #231597
>
> http://mojavelinux.com
> http://mojavelinux.com/seaminaction
> http://www.google.com/profiles/dan.j.allen
>
--
Lincoln Baxter, III
http://ocpsoft.com
http://scrumshark.com
"Keep it Simple"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/seam-dev/attachments/20100609/94c6736b/attachment-0001.html
More information about the seam-dev
mailing list