You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by lo...@apache.org on 2011/02/07 23:12:49 UTC
svn commit: r1068175 - in /myfaces/tobago/trunk: ./ tobago-core/
tobago-core/src/main/java/org/apache/myfaces/tobago/config/
tobago-core/src/main/java/org/apache/myfaces/tobago/internal/lifecycle/
tobago-core/src/main/java/org/apache/myfaces/tobago/int...
Author: lofwyr
Date: Mon Feb 7 22:12:48 2011
New Revision: 1068175
URL: http://svn.apache.org/viewvc?rev=1068175&view=rev
Log:
TOBAGO-972: Implement a session secret to protect against cross-side request forgery (CSRF/XSRF)
Added:
myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/Secret.java
myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java
myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.0.34.dtd
- copied, changed from r1067202, myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.0.30.dtd
Modified:
myfaces/tobago/trunk/pom.xml
myfaces/tobago/trunk/tobago-core/pom.xml
myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java
myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfigParser.java
myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/lifecycle/RestoreViewExecutor.java
myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/taglib/component/package-info.java
myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.5.dtd
myfaces/tobago/trunk/tobago-example/tobago-example-test/pom.xml
myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java
Modified: myfaces/tobago/trunk/pom.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/pom.xml?rev=1068175&r1=1068174&r2=1068175&view=diff
==============================================================================
--- myfaces/tobago/trunk/pom.xml (original)
+++ myfaces/tobago/trunk/pom.xml Mon Feb 7 22:12:48 2011
@@ -459,6 +459,12 @@
<version>1.2</version>
</dependency>
<dependency>
+ <groupId>commons-codec</groupId>
+ <artifactId>commons-codec</artifactId>
+ <version>1.4</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.14</version>
Modified: myfaces/tobago/trunk/tobago-core/pom.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/pom.xml?rev=1068175&r1=1068174&r2=1068175&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/pom.xml (original)
+++ myfaces/tobago/trunk/tobago-core/pom.xml Mon Feb 7 22:12:48 2011
@@ -59,7 +59,9 @@
<configuration>
<outputFiles>
<outputFile>org/apache/myfaces/tobago/internal/taglib/component/tobago.tld</outputFile>
+<!--
<outputFile>org/apache/myfaces/tobago/internal/taglib/extension/tobago-extension.tld</outputFile>
+-->
</outputFiles>
<resourceTargetPath>META-INF</resourceTargetPath>
<outputDirectory>${project.build.directory}/generated-tld</outputDirectory>
@@ -349,6 +351,10 @@
<version>${myfaces-test12.version}</version>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>commons-codec</groupId>
+ <artifactId>commons-codec</artifactId>
+ </dependency>
</dependencies>
<profiles>
Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java?rev=1068175&r1=1068174&r2=1068175&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java Mon Feb 7 22:12:48 2011
@@ -49,11 +49,15 @@ public class TobagoConfig {
private Map<String, Theme> availableThemes;
private RenderersConfig renderersConfig;
private ProjectStage projectStage;
+ private boolean createSessionSecret;
+ private boolean checkSessionSecret;
public TobagoConfig() {
supportedThemeNames = new ArrayList<String>();
supportedThemes = new ArrayList<Theme>();
resourceDirs = new ArrayList<String>();
+ createSessionSecret = true;
+ checkSessionSecret = true;
}
public void addSupportedThemeName(String name) {
@@ -234,6 +238,22 @@ public class TobagoConfig {
}
}
+ public boolean isCreateSessionSecret() {
+ return createSessionSecret;
+ }
+
+ public void setCreateSessionSecret(String createSessionSecret) {
+ this.createSessionSecret = Boolean.valueOf(createSessionSecret);
+ }
+
+ public boolean isCheckSessionSecret() {
+ return checkSessionSecret;
+ }
+
+ public void setCheckSessionSecret(String checkSessionSecret) {
+ this.checkSessionSecret = Boolean.valueOf(checkSessionSecret);
+ }
+
@Deprecated
public void setFixResourceOrder(String value) {
Deprecation.LOG.error("Config fix-resource-order not longer supported. (Is always activated).");
Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfigParser.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfigParser.java?rev=1068175&r1=1068174&r2=1068175&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfigParser.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfigParser.java Mon Feb 7 22:12:48 2011
@@ -39,6 +39,7 @@ public class TobagoConfigParser {
private static final String TOBAGO_CONFIG_DTD_1_0 = "/org/apache/myfaces/tobago/config/tobago-config_1_0.dtd";
private static final String TOBAGO_CONFIG_DTD_1_0_29 = "/org/apache/myfaces/tobago/config/tobago-config-1.0.29.dtd";
private static final String TOBAGO_CONFIG_DTD_1_0_30 = "/org/apache/myfaces/tobago/config/tobago-config-1.0.30.dtd";
+ private static final String TOBAGO_CONFIG_DTD_1_0_34 = "/org/apache/myfaces/tobago/config/tobago-config-1.0.34.dtd";
private static final String TOBAGO_CONFIG_DTD_1_5 = "/org/apache/myfaces/tobago/config/tobago-config-1.5.dtd";
public TobagoConfig parse(ServletContext context) throws IOException, SAXException, FacesException {
@@ -71,6 +72,10 @@ public class TobagoConfigParser {
// see bug TOBAGO-916
digester.addCallMethod("tobago-config/fix-layout-transparency", "setFixLayoutTransparency", 0);
+ // session secret
+ digester.addCallMethod("tobago-config/create-session-secret", "setCreateSessionSecret", 0);
+ digester.addCallMethod("tobago-config/check-session-secret", "setCheckSessionSecret", 0);
+
// renderer config
digester.addObjectCreate("tobago-config/renderers", RenderersConfigImpl.class);
digester.addSetNext("tobago-config/renderers", "setRenderersConfig");
@@ -106,6 +111,7 @@ public class TobagoConfigParser {
registerDtd(digester, "-//The Apache Software Foundation//DTD Tobago Config 1.0//EN", TOBAGO_CONFIG_DTD_1_0);
registerDtd(digester, "-//The Apache Software Foundation//DTD Tobago Config 1.0.29//EN", TOBAGO_CONFIG_DTD_1_0_29);
registerDtd(digester, "-//The Apache Software Foundation//DTD Tobago Config 1.0.30//EN", TOBAGO_CONFIG_DTD_1_0_30);
+ registerDtd(digester, "-//The Apache Software Foundation//DTD Tobago Config 1.0.34//EN", TOBAGO_CONFIG_DTD_1_0_34);
registerDtd(digester, "-//The Apache Software Foundation//DTD Tobago Config 1.5//EN", TOBAGO_CONFIG_DTD_1_5);
}
Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/lifecycle/RestoreViewExecutor.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/lifecycle/RestoreViewExecutor.java?rev=1068175&r1=1068174&r2=1068175&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/lifecycle/RestoreViewExecutor.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/lifecycle/RestoreViewExecutor.java Mon Feb 7 22:12:48 2011
@@ -17,11 +17,13 @@ package org.apache.myfaces.tobago.intern
* limitations under the License.
*/
+import org.apache.myfaces.tobago.config.TobagoConfig;
+import org.apache.myfaces.tobago.portlet.PortletUtils;
import org.apache.myfaces.tobago.renderkit.TobagoResponseStateManager;
+import org.apache.myfaces.tobago.util.ComponentUtils;
+import org.apache.myfaces.tobago.webapp.Secret;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.apache.myfaces.tobago.portlet.PortletUtils;
-import org.apache.myfaces.tobago.util.ComponentUtils;
import javax.faces.FacesException;
import javax.faces.application.Application;
@@ -116,6 +118,13 @@ class RestoreViewExecutor implements Pha
facesContext.renderResponse();
}
+ if (!isSessionSecretValid(facesContext)) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Secret is invalid!");
+ }
+ facesContext.renderResponse();
+ }
+
recursivelyHandleComponentReferencesAndSetValid(facesContext, viewRoot);
//noinspection unchecked
facesContext.getExternalContext().getRequestMap().put(TobagoLifecycle.VIEW_ROOT_KEY, viewRoot);
@@ -127,6 +136,14 @@ class RestoreViewExecutor implements Pha
return requestParameterMap.containsKey(TobagoResponseStateManager.TREE_PARAM);
}
+ private boolean isSessionSecretValid(FacesContext facesContext) {
+ if (TobagoConfig.getInstance(FacesContext.getCurrentInstance()).isCheckSessionSecret()) {
+ return Secret.check(facesContext);
+ } else {
+ return true;
+ }
+ }
+
public PhaseId getPhase() {
return PhaseId.RESTORE_VIEW;
}
Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/taglib/component/package-info.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/taglib/component/package-info.java?rev=1068175&r1=1068174&r2=1068175&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/taglib/component/package-info.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/internal/taglib/component/package-info.java Mon Feb 7 22:12:48 2011
@@ -6,7 +6,9 @@
shortName = "tc",
tlibVersion = "1.5",
uri = "http://myfaces.apache.org/tobago/component",
- listener = "org.apache.myfaces.tobago.webapp.TobagoServletContextListener",
+ listener = {
+ "org.apache.myfaces.tobago.webapp.TobagoServletContextListener",
+ "org.apache.myfaces.tobago.webapp.SecretSessionListener"},
fileName = "tobago.tld",
displayName = "Tobago Components 1.5.x")
package org.apache.myfaces.tobago.internal.taglib.component;
Added: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/Secret.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/Secret.java?rev=1068175&view=auto
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/Secret.java (added)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/Secret.java Mon Feb 7 22:12:48 2011
@@ -0,0 +1,103 @@
+package org.apache.myfaces.tobago.webapp;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import org.apache.commons.codec.binary.Base64;
+import org.apache.myfaces.tobago.context.TobagoFacesContext;
+import org.apache.myfaces.tobago.renderkit.html.HtmlAttributes;
+import org.apache.myfaces.tobago.renderkit.html.HtmlElements;
+
+import javax.faces.context.FacesContext;
+import javax.servlet.http.HttpSession;
+import java.io.IOException;
+import java.security.SecureRandom;
+import java.util.Map;
+
+public class Secret {
+
+ private static final String KEY = Secret.class.getName();
+
+ private static final SecureRandom RANDOM = new SecureRandom();
+
+ private static final int SECRET_LENGTH = 16;
+
+ private static final boolean COMMONS_CODEC_AVAILABLE = commonsCodecAvailable();
+
+ private static boolean commonsCodecAvailable() {
+ try {
+ Base64.encodeBase64URLSafeString(new byte[0]);
+ return true;
+ } catch (Error e) {
+ return false;
+ }
+ }
+
+ private String secret;
+
+ private Secret() {
+ byte[] bytes = new byte[SECRET_LENGTH];
+ RANDOM.nextBytes(bytes);
+ secret = COMMONS_CODEC_AVAILABLE ? encodeBase64(bytes) : encodeHex(bytes);
+ }
+
+ private String encodeBase64(byte[] bytes) {
+ return Base64.encodeBase64URLSafeString(bytes);
+ }
+
+ private String encodeHex(byte[] bytes) {
+ StringBuilder builder = new StringBuilder(SECRET_LENGTH * 2);
+ for (byte b : bytes) {
+ builder.append(String.format("%02x", b));
+ }
+ return builder.toString();
+ }
+
+ /**
+ * Checks that the request contains a parameter {@link org.apache.myfaces.tobago.webapp.Secret#KEY}
+ * which is equals to a secret value in the session.
+ */
+ public static boolean check(FacesContext facesContext) {
+ Map requestParameterMap = facesContext.getExternalContext().getRequestParameterMap();
+ String fromRequest = (String) requestParameterMap.get(Secret.KEY);
+ Map sessionMap = facesContext.getExternalContext().getSessionMap();
+ Secret secret = (Secret) sessionMap.get(Secret.KEY);
+ return secret != null && secret.secret.equals(fromRequest);
+ }
+
+ /**
+ * Encode a hidden field with the secret value from the session.
+ */
+ public static void encode(TobagoFacesContext facesContext, TobagoResponseWriter writer) throws IOException {
+ writer.startElement(HtmlElements.INPUT, null);
+ writer.writeAttribute(HtmlAttributes.TYPE, "hidden", false);
+ writer.writeAttribute(HtmlAttributes.NAME, Secret.KEY, false);
+ writer.writeAttribute(HtmlAttributes.ID, Secret.KEY, false);
+ Map sessionMap = facesContext.getExternalContext().getSessionMap();
+ Secret secret = (Secret) sessionMap.get(Secret.class.getName());
+ writer.writeAttribute(HtmlAttributes.VALUE, secret.secret, false);
+ writer.endElement(HtmlElements.INPUT);
+ }
+
+ /**
+ * Create a secret attribute in the session.
+ * Should usually be called in a {@link javax.servlet.http.HttpSessionListener}.
+ */
+ public static void create(HttpSession session) {
+ session.setAttribute(Secret.KEY, new Secret());
+ }
+}
Added: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java?rev=1068175&view=auto
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java (added)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java Mon Feb 7 22:12:48 2011
@@ -0,0 +1,36 @@
+package org.apache.myfaces.tobago.webapp;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import org.apache.myfaces.tobago.config.TobagoConfig;
+
+import javax.faces.context.FacesContext;
+import javax.servlet.http.HttpSessionEvent;
+import javax.servlet.http.HttpSessionListener;
+
+public class SecretSessionListener implements HttpSessionListener {
+
+ public void sessionCreated(HttpSessionEvent sessionEvent) {
+ if (TobagoConfig.getInstance(FacesContext.getCurrentInstance()).isCheckSessionSecret()) {
+ Secret.create(sessionEvent.getSession());
+ }
+ }
+
+ public void sessionDestroyed(HttpSessionEvent se) {
+ }
+}
Copied: myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.0.34.dtd (from r1067202, myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.0.30.dtd)
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.0.34.dtd?p2=myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.0.34.dtd&p1=myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.0.30.dtd&r1=1067202&r2=1068175&rev=1068175&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.0.30.dtd (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.0.34.dtd Mon Feb 7 22:12:48 2011
@@ -18,18 +18,19 @@
-->
<!--
- This is the DTD for the tobago configuration files version 1.0.30.
+ This is the DTD for the tobago configuration files version 1.0.34.
You should use the following DOCTYPE in your tobago-config.xml:
<!DOCTYPE tobago-config PUBLIC
- "-//The Apache Software Foundation//DTD Tobago Config 1.0.30//EN"
- "http://myfaces.apache.org/tobago/tobago-config-1.0.30.dtd">
+ "-//The Apache Software Foundation//DTD Tobago Config 1.0.34//EN"
+ "http://myfaces.apache.org/tobago/tobago-config-1.0.34.dtd">
-->
<!ENTITY % Boolean "(true|false|yes|no)">
<!ELEMENT tobago-config (theme-config, resource-dir*,
- ajax-enabled?, fix-resource-order?, fix-layout-transparency?, renderers?)>
+ ajax-enabled?, fix-resource-order?, fix-layout-transparency?,
+ create-session-secret?, check-session-secret?, renderers?)>
<!ELEMENT theme-config (default-theme, supported-theme*)>
<!ELEMENT default-theme (#PCDATA)>
@@ -53,6 +54,9 @@
-->
<!ELEMENT fix-layout-transparency (#PCDATA)>
+<!ELEMENT create-session-secret (#PCDATA)>
+<!ELEMENT check-session-secret (#PCDATA)>
+
<!ELEMENT renderers (renderer)*>
<!ELEMENT renderer (name|supported-markup)*>
<!ELEMENT supported-markup (markup)*>
Modified: myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.5.dtd
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.5.dtd?rev=1068175&r1=1068174&r2=1068175&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.5.dtd (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.5.dtd Mon Feb 7 22:12:48 2011
@@ -28,7 +28,8 @@
<!ENTITY % Boolean "(true|false|yes|no)">
-<!ELEMENT tobago-config (theme-config, resource-dir*, renderers?)>
+<!ELEMENT tobago-config (theme-config, resource-dir*,
+ create-session-secret?, check-session-secret?, renderers?)>
<!ELEMENT theme-config (default-theme, supported-theme*)>
<!ELEMENT default-theme (#PCDATA)>
@@ -40,6 +41,9 @@
<!ELEMENT resource-dir (#PCDATA)>
+<!ELEMENT create-session-secret (#PCDATA)>
+<!ELEMENT check-session-secret (#PCDATA)>
+
<!ELEMENT renderers (renderer)*>
<!ELEMENT renderer (name|supported-markup)*>
<!ELEMENT supported-markup (markup)*>
Modified: myfaces/tobago/trunk/tobago-example/tobago-example-test/pom.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-example/tobago-example-test/pom.xml?rev=1068175&r1=1068174&r2=1068175&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-example/tobago-example-test/pom.xml (original)
+++ myfaces/tobago/trunk/tobago-example/tobago-example-test/pom.xml Mon Feb 7 22:12:48 2011
@@ -109,13 +109,6 @@
</build>
<dependencies>
- <!-- needed for session secret -->
- <dependency>
- <groupId>commons-codec</groupId>
- <artifactId>commons-codec</artifactId>
- <version>1.4</version>
- </dependency>
-
<dependency>
<groupId>org.apache.myfaces.tobago</groupId>
<artifactId>tobago-example-data</artifactId>
Modified: myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java?rev=1068175&r1=1068174&r2=1068175&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java (original)
+++ myfaces/tobago/trunk/tobago-theme/tobago-theme-scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java Mon Feb 7 22:12:48 2011
@@ -52,6 +52,7 @@ import org.apache.myfaces.tobago.renderk
import org.apache.myfaces.tobago.util.ComponentUtils;
import org.apache.myfaces.tobago.util.FacesVersion;
import org.apache.myfaces.tobago.util.VariableResolverUtils;
+import org.apache.myfaces.tobago.webapp.Secret;
import org.apache.myfaces.tobago.webapp.TobagoResponseWriter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -433,6 +434,10 @@ public class PageRenderer extends PageRe
writer.endElement(HtmlElements.INPUT);
}
+ if (TobagoConfig.getInstance(FacesContext.getCurrentInstance()).isCreateSessionSecret()) {
+ Secret.encode(facesContext, writer);
+ }
+
if (debugMode) {
writer.startElement(HtmlElements.INPUT, null);
writer.writeAttribute(HtmlAttributes.VALUE, clientLogSeverity);