Saturday, August 25, 2012

Primefaces+Atmosphere+Push+Maven Setup

Recently enough Primefaces has announced their Atmosphere based push component. Unfortunately, the setup process isn't documented well yet, and requires few try-and-error iterations to get it working.

I assume you already have a working JSF+Primefaces+Maven environment, but when you try to use the newly Prime Push of the upcoming v3.4, you get one of those errors:

  • NoClassDefFoundError for org.atmosphere.cpr.AtmosphereServlet or org.primefaces.push.PushContextFactory
  • Error 500/404 from http://localhost:8080/YOUR_CONTEXT/primepush/YOUR_CHANNEL

First, you need to add two dependencies for your project:

  • Notice that the last one should match your environment. That is, if you are running in Tomcat environment, use atmosphere-compat-tomcat.
  • Notice that you need the latest beta version. The stable 0.9.7 version is not compatible with Primefaces Push.

Having that done, you'll need to add to your web.xml the following servlet:

  • Mind to have the channels values match the channels you are about to use.
  • Don't add leading/trainling backslashes.

And that's it.

For example:

  1. Put in the param-value "msg"
  2. Add the following snippet to one of your pages:
  3. Add the following to one of your beans:
When you'll invoke the push() method, the String would be pushed back to the client.

Friday, March 16, 2012

Lastpass.com security vulenrability

Recently, I'v discovered an XSS (Cross-site scripting) vulnerability in Lastpass.com add-on for browsers.
Lastpass.com is a password manager that keeps password in the cloud in a secured manner.

The vulnerability allow a malicious site owner to craft a special field, which in turn, if and when the user will decide to remove that field from that vault, an arbitrary JavaScript code would be executed. The code would be able to access the runtime environment of the plugin - thus to submit to external site sensitive information about Lastpass.com users.

Lastpass.com acknoladge the vulenrability, and issued a patch in a short amount of time. Lastpass.com add-ons are no longer affected by the issue, for this moment. They also publicly credited my about the disclosure at https://lastpass.com/support_security.php