You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by lo...@apache.org on 2011/02/08 16:10:58 UTC
svn commit: r1068435 - in
/myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago:
config/TobagoConfig.java webapp/SecretSessionListener.java
Author: lofwyr
Date: Tue Feb 8 15:10:58 2011
New Revision: 1068435
URL: http://svn.apache.org/viewvc?rev=1068435&view=rev
Log:
TOBAGO-972: Implement a session secret to protect against cross-side request forgery (CSRF/XSRF)
- fix: a session creation may happen outside from JSF
Modified:
myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java
myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java
Modified: myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java?rev=1068435&r1=1068434&r2=1068435&view=diff
==============================================================================
--- myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java (original)
+++ myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java Tue Feb 8 15:10:58 2011
@@ -24,6 +24,7 @@ import org.apache.myfaces.tobago.context
import org.apache.myfaces.tobago.util.Deprecation;
import javax.faces.context.FacesContext;
+import javax.servlet.ServletContext;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
@@ -110,8 +111,11 @@ public class TobagoConfig {
public static TobagoConfig getInstance(FacesContext facesContext) {
- return (TobagoConfig) facesContext.getExternalContext()
- .getApplicationMap().get(TOBAGO_CONFIG);
+ return (TobagoConfig) facesContext.getExternalContext().getApplicationMap().get(TOBAGO_CONFIG);
+ }
+
+ public static TobagoConfig getInstance(ServletContext servletContext) {
+ return (TobagoConfig) servletContext.getAttribute(TOBAGO_CONFIG);
}
public MappingRule getMappingRule(String requestUri) {
Modified: myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java?rev=1068435&r1=1068434&r2=1068435&view=diff
==============================================================================
--- myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java (original)
+++ myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java Tue Feb 8 15:10:58 2011
@@ -19,14 +19,14 @@ package org.apache.myfaces.tobago.webapp
import org.apache.myfaces.tobago.config.TobagoConfig;
-import javax.faces.context.FacesContext;
import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;
public class SecretSessionListener implements HttpSessionListener {
public void sessionCreated(HttpSessionEvent sessionEvent) {
- if (TobagoConfig.getInstance(FacesContext.getCurrentInstance()).isCheckSessionSecret()) {
+ // a session creation may happen outside from JSF, so don't use FacesContext here.
+ if (TobagoConfig.getInstance(sessionEvent.getSession().getServletContext()).isCheckSessionSecret()) {
Secret.create(sessionEvent.getSession());
}
}