my dog learned polymorphism
The moose likes JSF and the fly likes JSF 1.2 and CSRF (Cross Site Request Forgery) protection Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » JSF
Bookmark "JSF 1.2 and CSRF (Cross Site Request Forgery) protection" Watch "JSF 1.2 and CSRF (Cross Site Request Forgery) protection" New topic
Author

JSF 1.2 and CSRF (Cross Site Request Forgery) protection

Ronan Dowd
Ranch Hand

Joined: Jan 21, 2006
Posts: 84
Hi All,

My webapp uses (among other technologies like JSP, Ajax, Dojo etc) JSF v1.2 on Webshere 7.0.

I've been fixing security issues in the code recently - in particular Cross Site Request Forgery (CSRF) vulnerabilities. The suggested approach to combat CSRF is to embed a hidden unique token in your form (and also store this same token in the session). In the controller logic (i.e that handles the form's POST) we then check that the session and request token match. I've used this in my JSP's to combat CSRF successfullu. Basically I have a filter which executes before the form loads. This filter creates the unique token and stores in request and session and so on ..

Now for JSF 1.2 ...

I'm wondering how I do this in JSF v1.2 ? Would any one have an code samples or resource they could point me towards ? Is there a filter mechanism we can employ or some callback on the post ?
One idea I had is that to populate to form with the hidden token I would do (in the form):

<h:inputHidden id="jsfSecurityToken" value="#{myBean.securityToken}"/>

In "myBean.java" I have a getSecurityToken method which
a) creates the token
b) stores it into the request
c) stores it into the session

BUT I don't know how/where on the post I can CHECK if these values match

Page 40/41 of http://turbomanage.files.wordpress.com/2009/10/securing-jsf-applications-against-owasp-top-ten-color.pdf mentions "isPostBack" but I'm not sure how to use this.

Any help would be great

Thanks - Ronan


SCJP 1.4 | OCWCD JEE 5
bruce truong
Greenhorn

Joined: Mar 14, 2011
Posts: 12
Hello Ronan
I am stuck with same issue you posted. Did you ever get it to work.

Thanks
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17145
    
  27

bruce truong wrote:Hello Ronan
I am stuck with same issue you posted. Did you ever get it to work.

Thanks


I'm afraid that post was about 3 years ago. I imagine that Ronan has moved on to other projects by now.

The original question concerned JSF version 1.2. As of JSF version 2.0, supposedly JSF is inherently immune to CSRF:

http://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JSF-CSRF-Demo/JSF2.2CsrfDemo.html

An IDE is no substitute for an Intelligent Developer.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: JSF 1.2 and CSRF (Cross Site Request Forgery) protection
 
It's not a secret anymore!