You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Leonardo Uribe (JIRA)" <de...@myfaces.apache.org> on 2013/08/29 04:23:51 UTC
[jira] [Commented] (MYFACES-3714) Implement stateless mode using
f:view "transient" attribute
[ https://issues.apache.org/jira/browse/MYFACES-3714?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13753216#comment-13753216 ]
Leonardo Uribe commented on MYFACES-3714:
-----------------------------------------
Committed solution for this one. It seems the issues between view protection and stateless views will be clarified in a further version of the spec. For now I think it is ok to consider stateless views as unprotected, and enforce protected views to be not stateless.
> Implement stateless mode using f:view "transient" attribute
> -----------------------------------------------------------
>
> Key: MYFACES-3714
> URL: https://issues.apache.org/jira/browse/MYFACES-3714
> Project: MyFaces Core
> Issue Type: Task
> Components: JSR-344
> Reporter: Leonardo Uribe
> Assignee: Leonardo Uribe
>
> Implement stateless mode using f:view "transient" attribute
> The big problem with this stuff is what happen when view protection is considered and the resulting relationship between the state mode used (client or server) and mixing everything together.
> For example, view protection relies on what's inside javax.faces.ViewState hidden field and how it is encoded. Theorically javax.faces.ViewState protects against CSRF attacks, but with a special stateless token it could be possible to use that token into non stateless views. We should prevent that adding proper checks into the StateManagementStrategy and the Restore View phase.
> In theory, it is necessary to extend org.apache.myfaces.application.StateCache abstract class to reflect the necessary logic to ensure protected views are always secured, even if they are declared as stateless.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira