Examples of UIToken

• org.jboss.seam.ui.component.UIToken
  secpartners.com/files/XSRF_Paper_0.pdf)

  When placed inside a form, this component will first assign a unique identifier to the browser using a cookie that lives until the end of the browser session. This is roughly the browser's private key. Then a unique token is generated using various pieces of information that comprise the form's signature. The token may or may not be bound to the session id, as indicated by the value of the requireSession attribute. The token value is stored in the hidden form field named javax.faces.FormSignature.

  There is an assumption when using this component that the browser supports cookies. Cookies are the only universally available persistent mechanism that can give the browser an identifiable signature. It's important to know that the browser submitting the form is the same browser that is requesting the form.

  During the decode process, the token is generated using the same algorithm that was used during rendering and compared with the value of the request parameter javax.faces.FormSignature. If the same token value can be produced, then the form submission is permitted. Otherwise, an {@link UnauthorizedCommandException} is thrown indicating the reason for thefailure.

  The UIToken can be combined with client-side state saving or the "build before restore" strategy to unbind a POST from the session that created the view without sacrificing security. However, it's still the most secure to require the view state to be present in the session (JSF 1.2 server-side state saving).

  Please note that this solution isn't a complete panacea. If your site is vulnerable to XSS or the connection to wire-tapping, then the unique browser identifier can be revealed and a request forged.

  @author Dan Allen

Examples of org.jboss.seam.ui.component.UIToken

   }

   @Override
   protected void doDecode(FacesContext context, UIComponent component)
   {
      UIToken token = (UIToken) component;
      UIForm form = token.getParentForm();
      if (context.getRenderKit().getResponseStateManager().isPostback(context) && form.isSubmitted())
      {
         String clientToken = token.getClientUid();
         String viewId = context.getViewRoot().getViewId();
         if (clientToken == null)
         {
            throw new UnauthorizedCommandException(viewId, "No client identifier provided");
         }

         String requestedViewSig = context.getExternalContext().getRequestParameterMap().get(FORM_SIGNATURE_PARAM);
         if (requestedViewSig == null)
         {
            throw new UnauthorizedCommandException(viewId, "No form signature provided");
         }

         if (!requestedViewSig.equals(generateViewSignature(context, form, !token.isAllowMultiplePosts(), token.isRequireSession(), clientToken)))
         {
            throw new UnauthorizedCommandException(viewId, "Form signature invalid");
         }
         RenderStampStore store = RenderStampStore.instance();
         if (store != null)

Examples of org.jboss.seam.ui.component.UIToken

   }

   @Override
   protected void doEncodeBegin(ResponseWriter writer, FacesContext context, UIComponent component) throws IOException
   {
      UIToken token = (UIToken) component;
      UIForm form = token.getParentForm();
      if (form == null)
      {
         throw new IllegalStateException("UIToken must be inside a UIForm.");
      }

      String renderStamp = RandomStringUtils.randomAlphanumeric(50);
      RenderStampStore store = RenderStampStore.instance();
      if (store != null)
      {
         // if the store is not null we store the key
         // instead of the actual stamp; this puts the
         // server in control of this value rather than
         // the component tree, which is owned by the client
         // when using client-side state saving
         renderStamp = store.storeStamp(renderStamp);
      }

      writeCookieCheckScript(context, writer, token);

      token.getClientUidSelector().seed();
      form.getAttributes().put(RENDER_STAMP_ATTR, renderStamp);
      writer.startElement(HTML.INPUT_ELEM, component);
      writer.writeAttribute(HTML.TYPE_ATTR, HTML.INPUT_TYPE_HIDDEN, HTML.TYPE_ATTR);
      writer.writeAttribute(HTML.NAME_ATTR, FORM_SIGNATURE_PARAM, HTML.NAME_ATTR);
      writer.writeAttribute(HTML.VALUE_ATTR, generateViewSignature(context, form, !token.isAllowMultiplePosts(), token.isRequireSession(), token.getClientUidSelector().getClientUid()), HTML.VALUE_ATTR);
      writer.endElement(HTML.INPUT_ELEM);
   }