Yeah - Just saw that this morning. I'd like to see a way to implement this for ALL pages, not requiring a custom tag. I believe this could be done easily using the PreRenderViewEvent to add a hidden form field to store the token in all outbound forms, then use a phase-listener after Restore_View, comparing the request parameter to the restored component value. Very similar to the <s:token> component, but as a global solution that could be enabled/disabled via XML config.
Thoughts? Lincoln On Wed, Jun 9, 2010 at 10:49 AM, Dan Allen <[email protected]> wrote: > On Wed, Jun 9, 2010 at 7:25 AM, Stuart Douglas < > [email protected]> wrote: > >> >> It looks like this only affects apps that use encrypted client side state >> saving? >> > > Client-side state saving is extremely vulnerable to security hacks, > something Christian and I have discussed extensively. The problem is, with > client-side scripting, all the trust is on the client. You've got to have > something on the server (or some other trust provider) to cross reference > the request or else you are just asking for trouble. > > That's a lot of what the s:token tag is about...which we will be reviewing > soon as we bring it into Seam 3. > > > http://seamframework.org/Community/NewComponentTagStokenAimedToGuardAgainstCSRF > http://seamframework.org/Documentation/CrossSiteRequestForgery > > -Dan > > -- > Dan Allen > Senior Software Engineer, Red Hat | Author of Seam in Action > Registered Linux User #231597 > > http://mojavelinux.com > http://mojavelinux.com/seaminaction > http://www.google.com/profiles/dan.j.allen > > _______________________________________________ > seam-dev mailing list > [email protected] > https://lists.jboss.org/mailman/listinfo/seam-dev > > -- Lincoln Baxter, III http://ocpsoft.com http://scrumshark.com "Keep it Simple"
_______________________________________________ seam-dev mailing list [email protected] https://lists.jboss.org/mailman/listinfo/seam-dev
