[
https://issues.apache.org/jira/browse/MYFACES-3714?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Leonardo Uribe resolved MYFACES-3714.
-------------------------------------
Resolution: Fixed
Fix Version/s: 2.2.0
> Implement stateless mode using f:view "transient" attribute
> -----------------------------------------------------------
>
> Key: MYFACES-3714
> URL: https://issues.apache.org/jira/browse/MYFACES-3714
> Project: MyFaces Core
> Issue Type: Task
> Components: JSR-344
> Reporter: Leonardo Uribe
> Assignee: Leonardo Uribe
> Fix For: 2.2.0
>
>
> Implement stateless mode using f:view "transient" attribute
> The big problem with this stuff is what happen when view protection is
> considered and the resulting relationship between the state mode used (client
> or server) and mixing everything together.
> For example, view protection relies on what's inside javax.faces.ViewState
> hidden field and how it is encoded. Theorically javax.faces.ViewState
> protects against CSRF attacks, but with a special stateless token it could be
> possible to use that token into non stateless views. We should prevent that
> adding proper checks into the StateManagementStrategy and the Restore View
> phase.
> In theory, it is necessary to extend
> org.apache.myfaces.application.StateCache abstract class to reflect the
> necessary logic to ensure protected views are always secured, even if they
> are declared as stateless.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
