[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-2105) pluggable conversation id strategy
Marcus Adair (JIRA)
jira-events at lists.jboss.org
Wed Oct 17 14:45:14 EDT 2007
[ http://jira.jboss.com/jira/browse/JBSEAM-2105?page=comments#action_12383121 ]
Marcus Adair commented on JBSEAM-2105:
--------------------------------------
I am actually realizing that while its accurate to say that global increments on conversation ids is a "security problem", the subtlety is that exploiting the problem is not what people typically think of in terms of hackers finding ways to break in or create problems, but rather is the leakage of private business data that could be exploited at a strategic level by a competitor or some other external party.
I guess that's stating the obvious, but in case the subtlety is lost I figure it doesn't hurt to point out explicitly where the danger is.
> pluggable conversation id strategy
> ----------------------------------
>
> Key: JBSEAM-2105
> URL: http://jira.jboss.com/jira/browse/JBSEAM-2105
> Project: JBoss Seam
> Issue Type: Feature Request
> Reporter: Norman Richards
> Fix For: 2.0.1.GA
>
> Attachments: patch_file
>
>
> Conversation id generation should be managed by a component that can be overridden for specific deployments. We might even consider providing a more interesting default (or optional) strategy like a GUID.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list