jsr344-experts@javaserverfaces-spec-public.java.net

[jsr344-experts] Re: PRD Review and pending issues (View Protection and Ajax)

From: Leonardo Uribe <lu4242_at_gmail.com>
Date: Mon, 4 Feb 2013 19:35:31 -0500

Hi

I finally created this issue:

http://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-1161

CSRF protection cannot be used "out of the box" without create a
custom component or override forcefully ExternalContext


I think we definitively need to fix it before 2.2, because looking the
feature as a whole, my impression is the code is just
incomplete/broken. The user will be forced to write the same code to
use it (create custom component for a link or button and optionally
override some ExternalContext method to append the query param. (how
to test it without do the previous steps?).

regards,

Leonardo Uribe




2013/1/31 Edward Burns <edward.burns_at_oracle.com>
>
> >>>>> On Tue, 22 Jan 2013 13:57:36 -0500, Leonardo Uribe <lu4242_at_gmail.com> said:
>
> LU> In this case the same pattern could be applied. A param in h:link /
> LU> h:button
> LU> like enableViewProtection or something like that could be helpful.
>
> If you feel it's worthwhile, please file an issue. Otherwise, I think
> it can wait til after 2.2.
>
> Ed
>
> --
> | edward.burns_at_oracle.com | office: +1 407 458 0017
> | homepage: | http://ridingthecrest.com/