After publishing my blog entry Apache OpenWebBeans meets Eclipse RCP, I was contacted by Claudia Fröhling asking if I wanted to write about this topic for the Eclipse Magazin. I was very glad to get this offer and, of course, agreed to write the article. Authoring such an article was a quite new experience for me, and I really enjoyed it. Hopefully it will not be the last one.

You can obtain a copy of the current Eclipse Magazin here or you can download the iPad app of the magazine.

At the beginning we did a lot of SQL injection exploits, at first manually and later using sqlmap. Then we looked into XSS, XSRF and poor session management. And last but not least we took a look at buffer overflows, using metasploit as shellcode generator. Unfortunately, we did not have time to check out the jsf-security web application, which would have shown some vulnerabilities of (old versions of) JSF 2.

The workshop HOW-TO and all the source files used at the workshop are available at github: https://github.com/jakobk/confess-2012

As promised at the session, here are the slides as PDF: Web_Security_jakobk.pdf

I really enjoyed speaking at CONFESS, and now I am looking forward to my workshop (again about web security) on Wednesday.

Edit 2012-05-15: The slides are now also available on slideshare:

After some time I figured out how to combine OWB and Eclipse RCP thanks to the excellent plugin system of OWB. Now I finally found some time to put the relevant classes online. You can find the project at apache-extras: http://code.google.com/a/apache-extras.org/p/openwebbeans-eclipse-rcp/

Please note: Although this is a maven project, I was not able to really build it with maven, b/c I couldn’t find a way to get all the relevant eclipse jars into a maven repo. If you want to use it, the best way is to copy the source files directly into your Eclipse RCP project.

If anyone is interested in getting this stuff running in his/her Eclipse RCP project, just ping me and I can help you with the pitfalls.

It basically states that it is possible in JSF 2 to perform ValueExpression injection when includeViewParams is set to true on a navigation case.

To illustrate this in a better way, I created an example project at apache-extras, which shows the vulnerability: http://code.google.com/a/apache-extras.org/p/jsf-includeviewparams-security-hole-example/

Use the following steps to run the example:

1. svn checkout http://svn.codespot.com/a/apache-extras.org/jsf-includeviewparams-security-hole-example/trunk/
2. mvn clean jetty:run-exploded -PjettyConfig
3. go to http://localhost:8080/include-view-params-security and follow the instructions

This vulnerability exists, because JSF treats the value of a view parameter as a ValueExpression when performing a navigation case with includeViewParams=true. For further details, see the issues at Mojarra and MyFaces: http://java.net/jira/browse/JAVASERVERFACES-2247 and https://issues.apache.org/jira/browse/MYFACES-3405

Until this is fixed you should avoid using includeViewParams=true!

Together with Marcus Büttner and Mark Struberg I will adapt the relative resource handler for the administration software of the Vienna University of Technology, TISS [2]. For this task the relative resource handler will include some new features apart from supporting relative paths between resources, like e.g. supporting external resource locations. Check out the issue tracker for all enhancements [3]. Also, we already created a wiki page [4] for a list of all requirements.

Stay tuned!

[1] http://code.google.com/a/apache-extras.org/p/relative-resource-handler/
[2] https://tiss.tuwien.ac.at/
[3] http://code.google.com/a/apache-extras.org/p/relative-resource-handler/issues/list
[4] http://code.google.com/a/apache-extras.org/p/relative-resource-handler/wiki/Requirements

MyFaces core 2.1.x is now here:

https://svn.apache.org/repos/asf/myfaces/core/trunk/
https://svn.apache.org/repos/asf/myfaces/shared/trunk/
or
https://svn.apache.org/repos/asf/myfaces/current21/

MyFaces core 2.0.x is now here:

https://svn.apache.org/repos/asf/myfaces/core/branches/2.0.x/
https://svn.apache.org/repos/asf/myfaces/shared/trunk_4.0.x/
or
https://svn.apache.org/repos/asf/myfaces/current20/

I joined the EG, because some issues which were chosen for JSF 2.2, were originated by myself, like JAVASERVERFACES_SPEC_PUBLIC-976 or JAVASERVERFACES_SPEC_PUBLIC-947 (see other blog post). In addition, I will certainly contribute code for some issues, e.g. for JAVASERVERFACES_SPEC_PUBLIC-947 (because this spec issue is the result of my AdvancedResourceHandler in MyFaces commons).

I am really looking forward to working with Ed Burns and the other EG members and to creating a kick-ass new version of JSF!

Created via JIRA’s custom search query api.

There are currently about 330 open issues in the specification issues tracker and the number is slightly growing, since Ed told everyone to file their issues, because otherwise the problem “does not exist”.

Working through the open issues, I found out that there are some parts which do not have a spec issue yet, for example the question of integrating JSF’s managed bean mechanism with CDI (JSR-299) or the concept of CODI’s type-safe view config. Thus I created about 5 new issues in the tracker.

And here they are – my TOP 5 JSF 2.2 issues:

• JAVASERVERFACES_SPEC_PUBLIC-901 – Deprecate “targets” concept
• JAVASERVERFACES_SPEC_PUBLIC-907 – Improve Ajax Http.Get support to (re)render parts of the page
• JAVASERVERFACES_SPEC_PUBLIC-947 – Relative Resources
• JAVASERVERFACES_SPEC_PUBLIC-949 – Window-id
• JAVASERVERFACES_SPEC_PUBLIC-972 – [JSR-303 integration] @Valid support for custom types

The first one comes from a discussion on the jsr-314-open list I had with Ed, Andy Schwartz and some other guys about (how I call it) “the epic fail targets attribute”. The second one is from Matthias Wessendorf and improves the Websocket support for JSF. The third one originates from my Advanced JSF 2 ResourceHandler implementation in MyFaces Commons. The fourth one comes from MyFaces CODI and the fifth one comes from Gerhard Petracek, a colleague of mine from IRIAN who is Bean Validation expert group member.

However, there are some other open issues, which I created, that I cannot vote for (simply because you cannot vote for the issues you created):

• JAVASERVERFACES_SPEC_PUBLIC-977 – Type-safe view config and navigation
• JAVASERVERFACES_SPEC_PUBLIC-976 – Future of JSF Managed Beans and CDI
• JAVASERVERFACES_SPEC_PUBLIC-974 – Add support for conditional comments to h:outputStylesheet and h:outputScript (add condition attribute)
• JAVASERVERFACES_SPEC_PUBLIC-953 – Provide a way to find out if content was defined for a
• JAVASERVERFACES_SPEC_PUBLIC-946 – Provide internal server path of resources from Resource API via EL
• JAVASERVERFACES_SPEC_PUBLIC-796 – Use the model value for a UIViewParameter only on a postbacks
• JAVASERVERFACES_SPEC_PUBLIC-795 – UIViewParameter state saving algorithm
• JAVASERVERFACES_SPEC_PUBLIC-755 – passing through of actionListener, action,.. not possible between composite components
• JAVASERVERFACES_SPEC_PUBLIC-745 – Type of #{cc.attrs.test} cannot be obtained if test resolves to null

I you have some time, check them out and if you find them important enough, please vote! Deadline is Tuesday, April 19th, in the evening.