myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leonardo Uribe (JIRA)" <...@myfaces.apache.org>
Subject [jira] [Created] (MYFACES-3714) Implement stateless mode using f:view "transient" attribute
Date Thu, 25 Apr 2013 03:32:15 GMT
Leonardo Uribe created MYFACES-3714:
---------------------------------------

             Summary: Implement stateless mode using f:view "transient" attribute
                 Key: MYFACES-3714
                 URL: https://issues.apache.org/jira/browse/MYFACES-3714
             Project: MyFaces Core
          Issue Type: Task
          Components: JSR-344
            Reporter: Leonardo Uribe
            Assignee: Leonardo Uribe


Implement stateless mode using f:view "transient" attribute

The big problem with this stuff is what happen when view protection is considered and the
resulting relationship between the state mode used (client or server) and mixing everything
together.

For example, view protection relies on what's inside javax.faces.ViewState hidden field and
how it is encoded. Theorically javax.faces.ViewState protects against CSRF attacks, but with
a special stateless token it could be possible to use that token into non stateless views.
We should prevent that adding proper checks into the StateManagementStrategy and the Restore
View phase.

In theory, it is necessary to extend org.apache.myfaces.application.StateCache abstract class
to reflect the necessary logic to ensure protected views are always secured, even if they
are declared as stateless.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message