New component tag <s:token> aimed to guar...| JBoss.org Content Archive (Read Only)

15. Re: New component tag <s:token> aimed to guard against CSRF

amitev May 20, 2009 10:55 PM (in response to dan.j.allen)

What would be the impact of this component when running load tests. Load test applications are acting like proxy and replay the post/get requests. How could the load test app know that it should submit what's in the token field?

16. Re: New component tag <s:token> aimed to guard against CSRF

dan.j.allen May 24, 2009 5:50 AM (in response to dan.j.allen)

It depends. If your load testing driver behaves like a browser (i.e., with cookie support) then there should be zero impact since the idea of <s:token> is to ensure that the same browser submitting the form also rendered the form. In a sense, it's just asserting that the negotiation is proper. However, if the load testing driver does not behave like a browser, you will likely need to disable the tag if you find it is blocking requests. In that case, I believe you can use the rendered attribute or (better) surround it in a <c:if> tag to disable for tests.

But really, your load testing should be behaving like a proper browser and hence no impact.

Please follow up if you have trouble or disagree with this assumption (however, please at least look at how the tag works so we can discuss specifics).

17. Re: New component tag <s:token> aimed to guard against CSRF

nmatrix9 Sep 10, 2009 5:45 AM (in response to dan.j.allen)

Sounds like a awesome idea Dan, by the way I enjoyed your book Seam in Action. Keep up the good work!

18. Re: New component tag <s:token> aimed to guard against CSRF

email2liyang Apr 16, 2010 6:11 AM (in response to dan.j.allen)

Click HELP for text formatting instructions. Then edit this text and check the preview.

Dan
the attr is not allowMultipleSubmit="true", it's allowMultiplePosts="true", copy attr from here causd a P1 bug in my case, reply this msg to help some else to avoid such mistake like me :(

http://docs.jboss.org/seam/2.1.2/reference/en-US/html/controls.html

19. Re: New component tag <s:token> aimed to guard against CSRF

okianl Jul 13, 2010 4:47 PM (in response to dan.j.allen)

Hello Dan,

I am using Seam 2.2.0.GA with Tomcat. I tried to use the s:token on the login page like this:

<h:form id="login">

            <s:token enableCookieNotice="true" requireSession="false" allowMultiplePosts="true" />

            <rich:panel style="width:500px">
                <f:facet name="header">Login</f:facet>

                <p>Enter your username and your password:</p>

                <div class="dialog">
                    <h:panelGrid columns="2" rowClasses="prop" columnClasses="name,value">
                        <h:outputLabel for="username">User ID</h:outputLabel>
                        <h:inputText id="username"
                                     value="#{credentials.username}"/>
                        <h:outputLabel for="password">Password</h:outputLabel>
                        <h:inputSecret id="password"
                                       value="#{credentials.password}"/>
                        <h:outputLabel for="rememberMe">Remember me</h:outputLabel>
                        <h:selectBooleanCheckbox id="rememberMe"
                                                 value="#{identity.rememberMe}"/>
                    </h:panelGrid>
                </div>
            </rich:panel>

            <div class="actionButtons">
                <h:commandButton value="Login" action="#{identity.login}" accesskey="L"/>
                <h:commandButton value="Password Reminder" action="#{identity.login}"/>
                <s:button id="requestNewUser" view="/identityManagement/registrationRequest.xhtml" value="Register New User"
                        accesskey="R"/>
            </div>

        </h:form>

I tried it with different combination of attributes, but no matter how I use it, it gives me this error, more or less depending on the browser. It seems that Firefox works most of the times, whether Chrome and IE 8 fails a lot. Here is the exception that I get:

WARNING: viewId: /login.xhtml - Form signature invalid
org.jboss.seam.ui.UnauthorizedCommandException: viewId: /login.xhtml - Form signature invalid
        at org.jboss.seam.ui.renderkit.TokenRendererBase.doDecode(TokenRendererBase.java:110)
        at org.jboss.seam.ui.util.cdk.RendererBase.decode(RendererBase.java:59)
        at javax.faces.component.UIComponentBase.decode(UIComponentBase.java:789)
        at javax.faces.component.UIComponentBase.processDecodes(UIComponentBase.java:1031)
        at javax.faces.component.UIForm.processDecodes(UIForm.java:209)
        at org.ajax4jsf.component.AjaxViewRoot$1.invokeContextCallback(AjaxViewRoot.java:395)
        at org.ajax4jsf.component.AjaxViewRoot.processPhase(AjaxViewRoot.java:235)
        at org.ajax4jsf.component.AjaxViewRoot.processDecodes(AjaxViewRoot.java:412)
        at com.sun.faces.lifecycle.ApplyRequestValuesPhase.execute(ApplyRequestValuesPhase.java:78)
        at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)
        at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
        at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
        at org.jboss.seam.web.IdentityFilter.doFilter(IdentityFilter.java:40)
        at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
        at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:90)
        at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
        at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
        at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
        at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
        at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
        at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:178)
        at org.ajax4jsf.webapp.BaseFilter.handleRequest(BaseFilter.java:290)
        at org.ajax4jsf.webapp.BaseFilter.processUploadsAndHandleRequest(BaseFilter.java:388)
        at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:515)
        at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:56)
        at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
        at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:60)
        at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
        at org.jboss.seam.web.HotDeployFilter.doFilter(HotDeployFilter.java:53)
        at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
        at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:873)
        at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
        at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
        at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
        at java.lang.Thread.run(Thread.java:619)
Jul 13, 2010 3:26:23 PM com.sun.faces.lifecycle.Phase doPhase
SEVERE: JSF1054: (Phase ID: APPLY_REQUEST_VALUES 2, View ID: /login.xhtml) Exception thrown during phase execution: javax.faces.event.PhaseEvent[source=com.sun.faces.lifecycle.LifecycleImpl@16ae2b0]

Any help is appreciated.

Thank you,

Lucian

20. Re: New component tag <s:token> aimed to guard against CSRF

okianl Jul 14, 2010 10:01 AM (in response to dan.j.allen)

I think that there is a bug in the implementation of this feature. I found the fix here

http://seamframework.org/Community/SeamTokenTagProblemCSRF

Thanks,

Lucian

21. Re: New component tag <s:token> aimed to guard against CSRF

udavz.valeriy.molyakov.edb.com Oct 13, 2010 1:58 PM (in response to dan.j.allen)

More issues with s:token here http://seamframework.org/Community/StokenDoubleSubmitProblem
Issues linked with double submit detection. There is one defect in implementation.
It is also unclear why MyFaces restore a stamp attribute when do double submit. As a result s:token double submit detection doesn't work.

22. Re: New component tag <s:token> aimed to guard against CSRF

logan Nov 18, 2010 3:41 PM (in response to dan.j.allen)

I have a same problem with s:token :https://jira.jboss.org/browse/JBSEAM-4503

The javax.faces.ClientToken cookie contains illegal characters: "/\"c{>`I?e,6.8oc#SPybp3}E1EK[u<?i
Unlike Firefox, under Google Chrome this is a problem.

Is there any fast workaround? for this

Thank you!