I am confused. I see that JSF 2.0 has implicit CSRF protection: How JSF 2.0 prevents CSRF
On the other side according to the article http://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JSF-CSRF-Demo/JSF2.2CsrfDemo.html we should add the following element to the faces-config.xml
file with the list of JSF pages.
<protected-views>
<url-pattern>/csrf_protected_page.xhtml</url-pattern>
</protected-views>
Should <protected-views>
be used for JSF 2.2 CSRF protection?
I am confused. I see that JSF 2.0 has implicit CSRF protection: How JSF 2.0 prevents CSRF
This implicit protection is on POST requests only (i.e. pages with <h:form>
).
On the other side according to the article http://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JSF-CSRF-Demo/JSF2.2CsrfDemo.html we should add the following element to the
faces-config.xml
file with the list of JSF pages.<protected-views> <url-pattern>/csrf_protected_page.xhtml</url-pattern> </protected-views>
This protection will also be effective on GET requests (i.e. pages with <f:viewAction>
, which is also new since JSF 2.2). Whenever you use <h:link>
or <h:button>
to create GET links/buttons to those pages, then a new GET request parameter javax.faces.Token
with an autogenerated token value will be appended to the URL in the generated HTML output and this parameter would be required when the page in question is declared in <protected-views>
.
Should
<protected-views>
be used for JSF 2.2 CSRF protection?
Only on pages with <f:viewAction>
which you'd like to CSRF-protect. Those with <h:form>
are already implicitly protected by javax.faces.ViewState
hidden input field, provided that you didn't turn off JSF view state by <f:view transient="true">
. See also a.o. CSRF, XSS and SQL Injection attack prevention in JSF.
来源:https://stackoverflow.com/questions/26969415/should-protected-views-be-used-for-jsf-2-2-csrf-protection