protected-views | 易学教程

View declared in <protected-views> still accessible after manipulating CSRF token

阅读更多关于 View declared in still accessible after manipulating CSRF token

问题 I'm exploring the new features in JSF 2.2 (pretty cool so far) but I still don't understand how Protected Views works, I created a facelet1 with a link to facelet2, like this: <h:link styleClass="link" value="Go to protected page" id="link1" outcome="/protected/facelet2.xhtml"></h:link> and in my faces-config.xml I added this: <protected-views> <url-pattern>/protected/facelet2.xhtml</url-pattern> </protected-views> Now when I run the page a token is added in the url: http://localhost:8080/

Should <protected-views> be used for JSF 2.2 CSRF protection?

阅读更多关于 Should be used for JSF 2.2 CSRF protection?

I am confused. I see that JSF 2.0 has implicit CSRF protection: How JSF 2.0 prevents CSRF On the other side according to the article http://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JSF-CSRF-Demo/JSF2.2CsrfDemo.html we should add the following element to the faces-config.xml file with the list of JSF pages. <protected-views> <url-pattern>/csrf_protected_page.xhtml</url-pattern> </protected-views> Should <protected-views> be used for JSF 2.2 CSRF protection? BalusC I am confused. I see that JSF 2.0 has implicit CSRF protection: How JSF 2.0 prevents CSRF This implicit protection is

Should <protected-views> be used for JSF 2.2 CSRF protection?

阅读更多关于 Should be used for JSF 2.2 CSRF protection?

问题 I am confused. I see that JSF 2.0 has implicit CSRF protection: How JSF 2.0 prevents CSRF On the other side according to the article http://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JSF-CSRF-Demo/JSF2.2CsrfDemo.html we should add the following element to the faces-config.xml file with the list of JSF pages. <protected-views> <url-pattern>/csrf_protected_page.xhtml</url-pattern> </protected-views> Should <protected-views> be used for JSF 2.2 CSRF protection? 回答1: I am confused. I