Should be used for JSF 2.2 CSRF protection?
I am confused. I see that JSF 2.0 has implicit CSRF protection: How JSF 2.0 prevents CSRF This implicit protection is on POST requests only (i.e. pages with <h:form>). On the other side according to the article http://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JSF-CSRF-Demo/JSF2.2CsrfDemo.html we should add the following element to the faces-config.xml file with the list of JSF pages. <protected-views> … Read more