Should be used for JSF 2.2 CSRF protection?

by

I am confused.
I see that JSF 2.0 has implicit CSRF protection:
How JSF 2.0 prevents CSRF

This implicit protection is on POST requests only (i.e. pages with <h:form>).

On the other side according to the article http://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JSF-CSRF-Demo/JSF2.2CsrfDemo.html we should add the following element to the faces-config.xml file with the list of JSF pages.

<protected-views>
   <url-pattern>/csrf_protected_page.xhtml</url-pattern>
</protected-views>

This protection will also be effective on GET requests (i.e. pages with <f:viewAction>, which is also new since JSF 2.2). Whenever you use <h:link> or <h:button> to create GET links/buttons to those pages, then a new GET request parameter javax.faces.Token with an autogenerated token value will be appended to the URL in the generated HTML output and this parameter would be required when the page in question is declared in <protected-views>.

Should <protected-views> be used for JSF 2.2 CSRF protection?

Only on pages with <f:viewAction> which you’d like to CSRF-protect. Those with <h:form> are already implicitly protected by javax.faces.ViewState hidden input field, provided that you didn’t turn off JSF view state by <f:view transient="true">. See also a.o. CSRF, XSS and SQL Injection attack prevention in JSF.

More Related Contents:

  1. Where to store JWT in browser? How to protect against CSRF?
  2. CSRF protection: do we have to generate a token for every form?
  3. Difference between CSRF and X-CSRF-Token
  4. Am I under risk of CSRF attacks in a POST form that doesn’t require the user to be logged in?
  5. Understanding CSRF
  6. What is token-based authentication?
  7. Non-random salt for password hashes
  8. Cross Domain Form POSTing
  9. Are HTTPS headers encrypted?
  10. @ViewScoped bean recreated on every postback request when using JSF 2.2
  11. How secure is a HTTP POST?
  12. Payment Processors – What do I need to know if I want to accept credit cards on my website? [closed]
  13. Declaring Spring Bean in Parent Context vs Child Context
  14. Moving old passwords to new hashing algorithm?
  15. Is it secure to submit from a HTTP form to HTTPS?
  16. How to prevent arbitrary client apps from using anonymous web API?
  17. Is HTTP header Referer sent when going to a http page from a https page?
  18. Is it possible to reverse a SHA-1 hash?
  19. Removing specific CDI managed beans from session
  20. Are JSON web services vulnerable to CSRF attacks?
  21. Process f:viewParam only on page load
  22. What’s the best approach for generating a new API key?
  23. client secret in OAuth 2.0
  24. What is the best “forgot my password” method? [duplicate]
  25. Do I need a “random salt” once per password or only once per database?
  26. How is it possible to access memory of other processes?
  27. How easily can you guess a GUID that might be generated?
  28. How do you protect code from leaking outside? [duplicate]
  29. Populate p:selectOneMenu based on another p:selectOneMenu in each row of a p:dataTable
  30. Setting cookie in iframe – different Domain

Leave a Comment