Should <protected-views> be used for JSF 2.2 CSRF protection?

岁酱吖の 提交于 2019-11-28 07:43:06
BalusC

I am confused. I see that JSF 2.0 has implicit CSRF protection: How JSF 2.0 prevents CSRF

This implicit protection is on POST requests only (i.e. pages with <h:form>).


On the other side according to the article http://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JSF-CSRF-Demo/JSF2.2CsrfDemo.html we should add the following element to the faces-config.xml file with the list of JSF pages.

<protected-views>
   <url-pattern>/csrf_protected_page.xhtml</url-pattern>
</protected-views>

This protection will also be effective on GET requests (i.e. pages with <f:viewAction>, which is also new since JSF 2.2). Whenever you use <h:link> or <h:button> to create GET links/buttons to those pages, then a new GET request parameter javax.faces.Token with an autogenerated token value will be appended to the URL in the generated HTML output and this parameter would be required when the page in question is declared in <protected-views>.


Should <protected-views> be used for JSF 2.2 CSRF protection?

Only on pages with <f:viewAction> which you'd like to CSRF-protect. Those with <h:form> are already implicitly protected by javax.faces.ViewState hidden input field, provided that you didn't turn off JSF view state by <f:view transient="true">. See also a.o. CSRF, XSS and SQL Injection attack prevention in JSF.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!