You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by lo...@apache.org on 2011/02/07 23:37:07 UTC
svn commit: r1068193 - in /myfaces/tobago/branches/tobago-1.0.x: ./ core/
core/src/main/java/org/apache/myfaces/tobago/config/
core/src/main/java/org/apache/myfaces/tobago/lifecycle/
core/src/main/java/org/apache/myfaces/tobago/taglib/component/ core/s...
Author: lofwyr
Date: Mon Feb 7 22:37:06 2011
New Revision: 1068193
URL: http://svn.apache.org/viewvc?rev=1068193&view=rev
Log:
TOBAGO-972: Implement a session secret to protect against cross-side request forgery (CSRF/XSRF)
Added:
myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/webapp/Secret.java
myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java
myfaces/tobago/branches/tobago-1.0.x/core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.0.34.dtd
- copied, changed from r1067945, myfaces/tobago/branches/tobago-1.0.x/core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.0.30.dtd
Modified:
myfaces/tobago/branches/tobago-1.0.x/core/pom.xml
myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java
myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfigParser.java
myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/lifecycle/RestoreViewExecutor.java
myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/taglib/component/package-info.java
myfaces/tobago/branches/tobago-1.0.x/example/demo/src/main/webapp/WEB-INF/tobago-config.xml
myfaces/tobago/branches/tobago-1.0.x/pom.xml
myfaces/tobago/branches/tobago-1.0.x/theme/scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java
myfaces/tobago/branches/tobago-1.0.x/theme/standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/inputSuggest.js
myfaces/tobago/branches/tobago-1.0.x/theme/standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/tobago.js
Modified: myfaces/tobago/branches/tobago-1.0.x/core/pom.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/branches/tobago-1.0.x/core/pom.xml?rev=1068193&r1=1068192&r2=1068193&view=diff
==============================================================================
--- myfaces/tobago/branches/tobago-1.0.x/core/pom.xml (original)
+++ myfaces/tobago/branches/tobago-1.0.x/core/pom.xml Mon Feb 7 22:37:06 2011
@@ -256,6 +256,10 @@
<version>1.0</version>
<scope>provided</scope>
</dependency>
+ <dependency>
+ <groupId>commons-codec</groupId>
+ <artifactId>commons-codec</artifactId>
+ </dependency>
</dependencies>
<profiles>
Modified: myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java?rev=1068193&r1=1068192&r2=1068193&view=diff
==============================================================================
--- myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java (original)
+++ myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfig.java Mon Feb 7 22:37:06 2011
@@ -45,6 +45,8 @@ public class TobagoConfig {
private boolean ajaxEnabled;
private boolean fixResourceOrder;
private boolean fixLayoutTransparency;
+ private boolean createSessionSecret;
+ private boolean checkSessionSecret;
private Map<String, Theme> availableTheme;
private RenderersConfig renderersConfig;
@@ -56,6 +58,8 @@ public class TobagoConfig {
ajaxEnabled = true;
fixResourceOrder = false;
fixLayoutTransparency = false;
+ createSessionSecret = false;
+ checkSessionSecret = false;
}
public void addMappingRule(MappingRule mappingRule) {
@@ -192,6 +196,22 @@ public class TobagoConfig {
this.fixLayoutTransparency = Boolean.valueOf(fixLayoutTransparency);
}
+ public boolean isCreateSessionSecret() {
+ return createSessionSecret;
+ }
+
+ public void setCreateSessionSecret(String createSessionSecret) {
+ this.createSessionSecret = Boolean.valueOf(createSessionSecret);
+ }
+
+ public boolean isCheckSessionSecret() {
+ return checkSessionSecret;
+ }
+
+ public void setCheckSessionSecret(String checkSessionSecret) {
+ this.checkSessionSecret = Boolean.valueOf(checkSessionSecret);
+ }
+
@Deprecated
public void setLoadThemesFromClasspath(String loadThemesFromClasspath) {
Deprecation.LOG.error("Deprecated: setting load-theme-resources-from-classpath is "
Modified: myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfigParser.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfigParser.java?rev=1068193&r1=1068192&r2=1068193&view=diff
==============================================================================
--- myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfigParser.java (original)
+++ myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/config/TobagoConfigParser.java Mon Feb 7 22:37:06 2011
@@ -43,6 +43,7 @@ public class TobagoConfigParser {
private static final String TOBAGO_CONFIG_DTD_1_0 = "/org/apache/myfaces/tobago/config/tobago-config_1_0.dtd";
private static final String TOBAGO_CONFIG_DTD_1_0_29 = "/org/apache/myfaces/tobago/config/tobago-config-1.0.29.dtd";
private static final String TOBAGO_CONFIG_DTD_1_0_30 = "/org/apache/myfaces/tobago/config/tobago-config-1.0.30.dtd";
+ private static final String TOBAGO_CONFIG_DTD_1_0_34 = "/org/apache/myfaces/tobago/config/tobago-config-1.0.34.dtd";
public TobagoConfig parse(ServletContext context)
throws IOException, SAXException, FacesException {
@@ -94,6 +95,10 @@ public class TobagoConfigParser {
// see bug TOBAGO-916
digester.addCallMethod("tobago-config/fix-layout-transparency", "setFixLayoutTransparency", 0);
+ // session secret
+ digester.addCallMethod("tobago-config/create-session-secret", "setCreateSessionSecret", 0);
+ digester.addCallMethod("tobago-config/check-session-secret", "setCheckSessionSecret", 0);
+
digester.addObjectCreate("tobago-config/renderers", RenderersConfigImpl.class);
digester.addSetNext("tobago-config/renderers", "setRenderersConfig");
digester.addObjectCreate("tobago-config/renderers/renderer", RendererConfig.class);
@@ -131,6 +136,7 @@ public class TobagoConfigParser {
registerDtd(digester, "-//The Apache Software Foundation//DTD Tobago Config 1.0//EN", TOBAGO_CONFIG_DTD_1_0);
registerDtd(digester, "-//The Apache Software Foundation//DTD Tobago Config 1.0.29//EN", TOBAGO_CONFIG_DTD_1_0_29);
registerDtd(digester, "-//The Apache Software Foundation//DTD Tobago Config 1.0.30//EN", TOBAGO_CONFIG_DTD_1_0_30);
+ registerDtd(digester, "-//The Apache Software Foundation//DTD Tobago Config 1.0.34//EN", TOBAGO_CONFIG_DTD_1_0_34);
}
private void registerDtd(Digester digester, String publicId, String entityUrl) {
Modified: myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/lifecycle/RestoreViewExecutor.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/lifecycle/RestoreViewExecutor.java?rev=1068193&r1=1068192&r2=1068193&view=diff
==============================================================================
--- myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/lifecycle/RestoreViewExecutor.java (original)
+++ myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/lifecycle/RestoreViewExecutor.java Mon Feb 7 22:37:06 2011
@@ -20,7 +20,9 @@ package org.apache.myfaces.tobago.lifecy
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.myfaces.tobago.component.ComponentUtil;
+import org.apache.myfaces.tobago.config.TobagoConfig;
import org.apache.myfaces.tobago.renderkit.TobagoResponseStateManager;
+import org.apache.myfaces.tobago.webapp.Secret;
import javax.faces.FacesException;
import javax.faces.application.Application;
@@ -121,6 +123,13 @@ class RestoreViewExecutor implements Pha
facesContext.renderResponse();
}
+ if (!isSessionSecretValid(facesContext)) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Secret is invalid!");
+ }
+ facesContext.renderResponse();
+ }
+
recursivelyHandleComponentReferencesAndSetValid(facesContext, viewRoot);
//noinspection unchecked
facesContext.getExternalContext().getRequestMap().put(VIEW_ROOT_KEY, viewRoot);
@@ -132,6 +141,14 @@ class RestoreViewExecutor implements Pha
return requestParameterMap.containsKey(TobagoResponseStateManager.TREE_PARAM);
}
+ private boolean isSessionSecretValid(FacesContext facesContext) {
+ if (TobagoConfig.getInstance(FacesContext.getCurrentInstance()).isCheckSessionSecret()) {
+ return Secret.check(facesContext);
+ } else {
+ return true;
+ }
+ }
+
public PhaseId getPhase() {
return PhaseId.RESTORE_VIEW;
}
Modified: myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/taglib/component/package-info.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/taglib/component/package-info.java?rev=1068193&r1=1068192&r2=1068193&view=diff
==============================================================================
--- myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/taglib/component/package-info.java (original)
+++ myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/taglib/component/package-info.java Mon Feb 7 22:37:06 2011
@@ -5,8 +5,11 @@
*/
@org.apache.myfaces.tobago.apt.annotation.Taglib(
shortName = "tc", uri = "http://myfaces.apache.org/tobago/component",
- listener = "org.apache.myfaces.tobago.webapp.TobagoServletContextListener",
- fileName = "tobago.tld", displayName = "Tobago Components") package org.apache.myfaces.tobago.taglib.component;
+ listener = {
+ "org.apache.myfaces.tobago.webapp.TobagoServletContextListener",
+ "org.apache.myfaces.tobago.webapp.SecretSessionListener"},
+ fileName = "tobago.tld", displayName = "Tobago Components")
+package org.apache.myfaces.tobago.taglib.component;
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
Added: myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/webapp/Secret.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/webapp/Secret.java?rev=1068193&view=auto
==============================================================================
--- myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/webapp/Secret.java (added)
+++ myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/webapp/Secret.java Mon Feb 7 22:37:06 2011
@@ -0,0 +1,102 @@
+package org.apache.myfaces.tobago.webapp;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import org.apache.commons.codec.binary.Base64;
+import org.apache.myfaces.tobago.renderkit.html.HtmlAttributes;
+import org.apache.myfaces.tobago.renderkit.html.HtmlConstants;
+
+import javax.faces.context.FacesContext;
+import javax.servlet.http.HttpSession;
+import java.io.IOException;
+import java.security.SecureRandom;
+import java.util.Map;
+
+public class Secret {
+
+ private static final String KEY = Secret.class.getName();
+
+ private static final SecureRandom RANDOM = new SecureRandom();
+
+ private static final int SECRET_LENGTH = 16;
+
+ private static final boolean COMMONS_CODEC_AVAILABLE = commonsCodecAvailable();
+
+ private static boolean commonsCodecAvailable() {
+ try {
+ Base64.encodeBase64URLSafeString(new byte[0]);
+ return true;
+ } catch (Error e) {
+ return false;
+ }
+ }
+
+ private String secret;
+
+ private Secret() {
+ byte[] bytes = new byte[SECRET_LENGTH];
+ RANDOM.nextBytes(bytes);
+ secret = COMMONS_CODEC_AVAILABLE ? encodeBase64(bytes) : encodeHex(bytes);
+ }
+
+ private String encodeBase64(byte[] bytes) {
+ return Base64.encodeBase64URLSafeString(bytes);
+ }
+
+ private String encodeHex(byte[] bytes) {
+ StringBuilder builder = new StringBuilder(SECRET_LENGTH * 2);
+ for (byte b : bytes) {
+ builder.append(String.format("%02x", b));
+ }
+ return builder.toString();
+ }
+
+ /**
+ * Checks that the request contains a parameter {@link org.apache.myfaces.tobago.webapp.Secret#KEY}
+ * which is equals to a secret value in the session.
+ */
+ public static boolean check(FacesContext facesContext) {
+ Map requestParameterMap = facesContext.getExternalContext().getRequestParameterMap();
+ String fromRequest = (String) requestParameterMap.get(Secret.KEY);
+ Map sessionMap = facesContext.getExternalContext().getSessionMap();
+ Secret secret = (Secret) sessionMap.get(Secret.KEY);
+ return secret != null && secret.secret.equals(fromRequest);
+ }
+
+ /**
+ * Encode a hidden field with the secret value from the session.
+ */
+ public static void encode(FacesContext facesContext, TobagoResponseWriter writer) throws IOException {
+ writer.startElement(HtmlConstants.INPUT, null);
+ writer.writeAttribute(HtmlAttributes.TYPE, "hidden", false);
+ writer.writeAttribute(HtmlAttributes.NAME, Secret.KEY, false);
+ writer.writeAttribute(HtmlAttributes.ID, Secret.KEY, false);
+ Map sessionMap = facesContext.getExternalContext().getSessionMap();
+ Secret secret = (Secret) sessionMap.get(Secret.class.getName());
+ writer.writeAttribute(HtmlAttributes.VALUE, secret.secret, false);
+ writer.endElement(HtmlConstants.INPUT);
+ }
+
+ /**
+ * Create a secret attribute in the session.
+ * Should usually be called in a {@link javax.servlet.http.HttpSessionListener}.
+ */
+ public static void create(HttpSession session) {
+ session.setAttribute(Secret.KEY, new Secret());
+ }
+}
Added: myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java?rev=1068193&view=auto
==============================================================================
--- myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java (added)
+++ myfaces/tobago/branches/tobago-1.0.x/core/src/main/java/org/apache/myfaces/tobago/webapp/SecretSessionListener.java Mon Feb 7 22:37:06 2011
@@ -0,0 +1,19 @@
+package org.apache.myfaces.tobago.webapp;
+
+import org.apache.myfaces.tobago.config.TobagoConfig;
+
+import javax.faces.context.FacesContext;
+import javax.servlet.http.HttpSessionEvent;
+import javax.servlet.http.HttpSessionListener;
+
+public class SecretSessionListener implements HttpSessionListener {
+
+ public void sessionCreated(HttpSessionEvent sessionEvent) {
+ if (TobagoConfig.getInstance(FacesContext.getCurrentInstance()).isCheckSessionSecret()) {
+ Secret.create(sessionEvent.getSession());
+ }
+ }
+
+ public void sessionDestroyed(HttpSessionEvent se) {
+ }
+}
Copied: myfaces/tobago/branches/tobago-1.0.x/core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.0.34.dtd (from r1067945, myfaces/tobago/branches/tobago-1.0.x/core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.0.30.dtd)
URL: http://svn.apache.org/viewvc/myfaces/tobago/branches/tobago-1.0.x/core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.0.34.dtd?p2=myfaces/tobago/branches/tobago-1.0.x/core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.0.34.dtd&p1=myfaces/tobago/branches/tobago-1.0.x/core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.0.30.dtd&r1=1067945&r2=1068193&rev=1068193&view=diff
==============================================================================
--- myfaces/tobago/branches/tobago-1.0.x/core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.0.30.dtd (original)
+++ myfaces/tobago/branches/tobago-1.0.x/core/src/main/resources/org/apache/myfaces/tobago/config/tobago-config-1.0.34.dtd Mon Feb 7 22:37:06 2011
@@ -18,18 +18,19 @@
-->
<!--
- This is the DTD for the tobago configuration files version 1.0.30.
+ This is the DTD for the tobago configuration files version 1.0.34.
You should use the following DOCTYPE in your tobago-config.xml:
<!DOCTYPE tobago-config PUBLIC
- "-//The Apache Software Foundation//DTD Tobago Config 1.0.30//EN"
- "http://myfaces.apache.org/tobago/tobago-config-1.0.30.dtd">
+ "-//The Apache Software Foundation//DTD Tobago Config 1.0.34//EN"
+ "http://myfaces.apache.org/tobago/tobago-config-1.0.34.dtd">
-->
<!ENTITY % Boolean "(true|false|yes|no)">
<!ELEMENT tobago-config (theme-config, resource-dir*,
- ajax-enabled?, fix-resource-order?, fix-layout-transparency?, renderers?)>
+ ajax-enabled?, fix-resource-order?, fix-layout-transparency?,
+ create-session-secret?, check-session-secret?, renderers?)>
<!ELEMENT theme-config (default-theme, supported-theme*)>
<!ELEMENT default-theme (#PCDATA)>
@@ -53,6 +54,9 @@
-->
<!ELEMENT fix-layout-transparency (#PCDATA)>
+<!ELEMENT create-session-secret (#PCDATA)>
+<!ELEMENT check-session-secret (#PCDATA)>
+
<!ELEMENT renderers (renderer)*>
<!ELEMENT renderer (name|supported-markup)*>
<!ELEMENT supported-markup (markup)*>
Modified: myfaces/tobago/branches/tobago-1.0.x/example/demo/src/main/webapp/WEB-INF/tobago-config.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/branches/tobago-1.0.x/example/demo/src/main/webapp/WEB-INF/tobago-config.xml?rev=1068193&r1=1068192&r2=1068193&view=diff
==============================================================================
--- myfaces/tobago/branches/tobago-1.0.x/example/demo/src/main/webapp/WEB-INF/tobago-config.xml (original)
+++ myfaces/tobago/branches/tobago-1.0.x/example/demo/src/main/webapp/WEB-INF/tobago-config.xml Mon Feb 7 22:37:06 2011
@@ -18,8 +18,8 @@
-->
<!DOCTYPE tobago-config PUBLIC
- "-//The Apache Software Foundation//DTD Tobago Config 1.0//EN"
- "http://myfaces.apache.org/tobago/tobago-config_1_0.dtd">
+ "-//The Apache Software Foundation//DTD Tobago Config 1.0.34//EN"
+ "http://myfaces.apache.org/tobago/tobago-config-1.0.34.dtd">
<tobago-config>
@@ -32,4 +32,7 @@
<resource-dir>tobago-resource</resource-dir>
<ajax-enabled>true</ajax-enabled>
+
+ <create-session-secret>true</create-session-secret>
+ <check-session-secret>true</check-session-secret>
</tobago-config>
Modified: myfaces/tobago/branches/tobago-1.0.x/pom.xml
URL: http://svn.apache.org/viewvc/myfaces/tobago/branches/tobago-1.0.x/pom.xml?rev=1068193&r1=1068192&r2=1068193&view=diff
==============================================================================
--- myfaces/tobago/branches/tobago-1.0.x/pom.xml (original)
+++ myfaces/tobago/branches/tobago-1.0.x/pom.xml Mon Feb 7 22:37:06 2011
@@ -392,6 +392,12 @@
<version>1.2</version>
</dependency>
<dependency>
+ <groupId>commons-codec</groupId>
+ <artifactId>commons-codec</artifactId>
+ <version>1.4</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.14</version>
Modified: myfaces/tobago/branches/tobago-1.0.x/theme/scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java
URL: http://svn.apache.org/viewvc/myfaces/tobago/branches/tobago-1.0.x/theme/scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java?rev=1068193&r1=1068192&r2=1068193&view=diff
==============================================================================
--- myfaces/tobago/branches/tobago-1.0.x/theme/scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java (original)
+++ myfaces/tobago/branches/tobago-1.0.x/theme/scarborough/src/main/java/org/apache/myfaces/tobago/renderkit/html/scarborough/standard/tag/PageRenderer.java Mon Feb 7 22:37:06 2011
@@ -30,6 +30,7 @@ import org.apache.myfaces.tobago.compone
import org.apache.myfaces.tobago.component.UILayout;
import org.apache.myfaces.tobago.component.UIPage;
import org.apache.myfaces.tobago.component.UIPopup;
+import org.apache.myfaces.tobago.config.TobagoConfig;
import org.apache.myfaces.tobago.context.ClientProperties;
import org.apache.myfaces.tobago.context.ResourceManagerUtil;
import org.apache.myfaces.tobago.model.PageState;
@@ -43,6 +44,7 @@ import org.apache.myfaces.tobago.util.Ac
import org.apache.myfaces.tobago.util.FastStringWriter;
import org.apache.myfaces.tobago.util.MimeTypeUtils;
import org.apache.myfaces.tobago.util.ResponseUtils;
+import org.apache.myfaces.tobago.webapp.Secret;
import org.apache.myfaces.tobago.webapp.TobagoResponseWriter;
import javax.faces.application.Application;
@@ -453,6 +455,10 @@ public class PageRenderer extends PageRe
writer.writeIdAttribute(clientId + SUBCOMPONENT_SEP + "action-position");
writer.endElement(HtmlConstants.INPUT);
+ if (TobagoConfig.getInstance(FacesContext.getCurrentInstance()).isCreateSessionSecret()) {
+ Secret.encode(facesContext, writer);
+ }
+
if (debugMode) {
writer.startElement(HtmlConstants.INPUT, null);
writer.writeAttribute(HtmlAttributes.VALUE, clientLogSeverity);
Modified: myfaces/tobago/branches/tobago-1.0.x/theme/standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/inputSuggest.js
URL: http://svn.apache.org/viewvc/myfaces/tobago/branches/tobago-1.0.x/theme/standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/inputSuggest.js?rev=1068193&r1=1068192&r2=1068193&view=diff
==============================================================================
--- myfaces/tobago/branches/tobago-1.0.x/theme/standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/inputSuggest.js (original)
+++ myfaces/tobago/branches/tobago-1.0.x/theme/standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/inputSuggest.js Mon Feb 7 22:37:06 2011
@@ -59,7 +59,8 @@ Object.extend(new Ajax.Base(), {
"affectedAjaxComponent=" + encodeURIComponent(this.element.id)
+ "&" + encodeURIComponent(this.element.name) + '='
+ encodeURIComponent(this.element.value)
- + "&" + Tobago.getJsfState();
+ + "&" + Tobago.getJsfState()
+ + "&" + Tobago.getSecretParam();
// LOG.debug("start new request");
var requestOptions = Tobago.extend({}, this.options);
Modified: myfaces/tobago/branches/tobago-1.0.x/theme/standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/tobago.js
URL: http://svn.apache.org/viewvc/myfaces/tobago/branches/tobago-1.0.x/theme/standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/tobago.js?rev=1068193&r1=1068192&r2=1068193&view=diff
==============================================================================
--- myfaces/tobago/branches/tobago-1.0.x/theme/standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/tobago.js (original)
+++ myfaces/tobago/branches/tobago-1.0.x/theme/standard/src/main/resources/org/apache/myfaces/tobago/renderkit/html/standard/standard/script/tobago.js Mon Feb 7 22:37:06 2011
@@ -592,6 +592,15 @@ var Tobago = {
}
},
+ getSecretParam: function() {
+ var secret = Tobago.element("org.apache.myfaces.tobago.webapp.Secret");
+ var suffix = "";
+ suffix += encodeURIComponent(secret.name);
+ suffix += "=";
+ suffix += encodeURIComponent(secret.value);
+ return suffix;
+ },
+
clearReloadTimer: function(id) {
var timer = Tobago.reloadTimer[id];
if (timer) {