Re: [faces-dev] Client Window ID Issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [faces-dev] Client Window ID Issue

From: Jason Lee <jason@xxxxxxxxxxxxxxx>
Date: Wed, 13 Dec 2023 11:24:08 -0600
Arc-authentication-results: i=1; rspamd-5749745b69-95xn4; auth=pass smtp.auth=dreamhost smtp.mailfrom=jason@xxxxxxxxxxxxxxx
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1702488249; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Jy6ln1feFqP339bYD5Ie3DuTA84FktQaPxiox/8U4f0=; b=zk36plBazilB9r9mqV9PbxCv+1EacKXkFcCOEZ0xA7AFSe1Z3p2rL4dEBr/yTDo9dqEYDr xbe8EH4LQFWTi4RmvpxxFM+DgMRpH7lAY/8JYRk+k7zYH2Pwc+zDrh4k8/weaprf6Ydr9R 7WpWVP1J7DktBczs2SyPf5jWxoqVO3Fvw4ErZz177q/IDVG9l3vd+/hpUtTovTNvZlehAK gnK0kIt52tP0H6PYPyQyVDoKD16KnuuIauXtemBbL9/m9J8L00Wa70QQ77tMcwDFLruuTx RWsc/sWz4actLkQeywkvcaHCCR+523hDjChmvqZLUAA367yo9RunPcKTfpLBDg==
Arc-seal: i=1; s=arc-2022; d=mailchannels.net; t=1702488249; a=rsa-sha256; cv=none; b=De8xfP95rAkwv2RrR2sxuPjvqYXmQeCtdoEw+eEGYbrsDPWhxx2/SrMjOEIFph/+FnQ+Zv uko5rOXEqQEgDoRsV2MrerhqeEmqnE5uL5z1BVcDkYzvjCuPOP0eeHfFX4tNl1i/ub126+ GpvW5Aa5/16r3XgnWa51stjYFbLkR/EV7SLf+MdNuR9VvkhVAnoOckUqO4AxwyxHHbVMvn c3OZRM5S1aClFDK9dxrhVx703A3fIJAumcH6uxK9T5k0XPENX5s57W/UQIhxugze5D8acZ 3S+cXX+zHCheX4G8aXrDx+z5aS7YJHj0PIZ6dajiM8LJdUjjEduf7HzQW2iXhQ==
Delivered-to: faces-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/faces-dev/>
List-help: <mailto:faces-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/faces-dev>, <mailto:faces-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/faces-dev>, <mailto:faces-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla Thunderbird

If everyone is happy with the PR, I'd love to get this merged and a release made. We have a code freeze for WildFly 31, and I'd love to be able to ship this in the new version.

On 12/12/23 9:03 AM, Jason Lee via faces-dev wrote:

Perfect. Licenses always feel like a potential landmine. :)

I've updated the PR as requested.

Thanks!

On 12/12/23 7:57 AM, Arjan Tijms wrote:

Hi,

While licenses are always a concern, it looks like Mojarra already incorporates a few files with this license.

Kind regards,

Arjan Tijms

On Tue, 12 Dec 2023 at 00:16, Jason Lee via faces-dev <faces-dev@xxxxxxxxxxx> wrote:

Concerns over how Mojarra generates its client window ID were recently brought to my attention. While the spec appears to be silent on the issue, Mojarra uses the session ID to build the ID, and MyFaces uses a secure random. The use of the session ID is of concern to the reporter here, as that can contribute to session hijacking attacks, at least in theory. While there ways to mitigate or reduce those chances, I'd like to eliminate then altogether.

I have filed an issue (https://github.com/eclipse-ee4j/mojarra/issues/5375) and put up a PR (https://github.com/eclipse-ee4j/mojarra/pull/5376). While I know the PR will be seen eventually, I bring it up here to highlight that I copied (copyright and all, of course), the TokenGenerator class that MyFaces uses. If that (or the license, etc) is an issue, please let me know and I'll work on another implementation. Since there was an existing open source one with what I _think_ is a compatible license, I saw no reason for the exercise (I actually used a potentially naive UUID-based impl to test with originally). I hope I wasn't wrong. :)

--
Jason Lee
OKC JUG President
https://jasondl.ee
https://twitter.com/jasondlee
http://linkedin.com/in/jasondlee

_______________________________________________
faces-dev mailing list
faces-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/faces-dev

--
Jason Lee
OKC JUG President
https://jasondl.ee
https://twitter.com/jasondlee
http://linkedin.com/in/jasondlee
_______________________________________________
faces-dev mailing list
faces-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/faces-dev

--
Jason Lee
OKC JUG President
https://jasondl.ee
https://twitter.com/jasondlee
http://linkedin.com/in/jasondlee

References:
- [faces-dev] Client Window ID Issue
  - From: Jason Lee
- Re: [faces-dev] Client Window ID Issue
  - From: Arjan Tijms
- Re: [faces-dev] Client Window ID Issue
  - From: Jason Lee

Prev by Date: Re: [faces-dev] Updates for 4.1 and 5.0-M1 Releases
Next by Date: [faces-dev] Eclipse IDE & Jakarta Faces ?
Previous by thread: Re: [faces-dev] Client Window ID Issue
Next by thread: [faces-dev] Eclipse IDE & Jakarta Faces ?
Index(es):
- Date
- Thread

Breadcrumbs