[ANN] Tapestry CSRF Protection, 1.0.1.RELEASE and 1.1.0.RC1

[Christian Köberl <ta...@gmail.com>]

I have been working on a fork of the original CSRF protection module,
done in GSoC 2011 by Markus Jung. The original module did not fully
work without patching Tapestry itself and it was a bit too complicated
for our simple requirements. I took some code and ideas but ended up
in rewriting most of it.

So, I'm pleased to announce the first two releases:

Release 1.0 with basic features:
 - Protects all component event handler (like event links, forms,
etc.) against CSRF
 - Adds CSRF token to all event links and adds hidden field with CSRF
token to all form POSTs
 - Tokens are generated on a per-session basis

Release 1.1 (still a release candidate):
- Better generation of CSRF token
- Integration with Spring Security 3.2+ CSRF mechanism

The project is hosted on GitHub:
https://github.com/porscheinformatik/tapestry-csrf-protection

Instructions are quite simple:
Just add the JAR to your Tapestry project and it will be protected
against CSRF attacks. In version 1.1 if you have Spring and
Tapestry-Spring integration setup and the new Spring Security 3.2 CSRF
mode enabled it uses Spring's services for generating and checking the
tokens.

I think it would be a good idea to integrate a CSRF protection in
tapestry-core - maybe this could be a starting point.

-- 
Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org