You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by lo...@apache.org on 2011/02/08 15:57:00 UTC
svn commit: r1068432 -
/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java
Author: lofwyr
Date: Tue Feb 8 14:57:00 2011
New Revision: 1068432
URL: http://svn.apache.org/viewvc?rev=1068432&view=rev
Log:
TOBAGO-972: Implement a session secret to protect against cross-side request forgery (CSRF/XSRF)
- fix: a session creation may happen outside from JSF
Modified:
myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java
Modified: myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java?rev=1068432&r1=1068431&r2=1068432&view=diff
==============================================================================
--- myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java (original)
+++ myfaces/tobago/trunk/tobago-core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java Tue Feb 8 14:57:00 2011
@@ -19,14 +19,14 @@ package org.apache.myfaces.tobago.webapp
import org.apache.myfaces.tobago.config.TobagoConfig;
-import javax.faces.context.FacesContext;
import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;
public class SecretSessionListener implements HttpSessionListener {
public void sessionCreated(HttpSessionEvent sessionEvent) {
- if (TobagoConfig.getInstance(FacesContext.getCurrentInstance()).isCheckSessionSecret()) {
+ // a session creation may happen outside from JSF
+ if (TobagoConfig.getInstance(sessionEvent.getSession().getServletContext()).isCheckSessionSecret()) {
Secret.create(sessionEvent.getSession());
}
}