securityjsfcsrfjsf-2.2protected-views

Should <protected-views> be used for JSF 2.2 CSRF protection?

I am confused. I see that JSF 2.0 has implicit CSRF protection: How JSF 2.0 prevents CSRF

On the other side according to the article http://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JSF-CSRF-Demo/JSF2.2CsrfDemo.html we should add the following element to the faces-config.xml file with the list of JSF pages.

<protected-views>
   <url-pattern>/csrf_protected_page.xhtml</url-pattern>
</protected-views>

Should <protected-views> be used for JSF 2.2 CSRF protection?

Solution

  • I am confused. I see that JSF 2.0 has implicit CSRF protection: How JSF 2.0 prevents CSRF

    This implicit protection is on POST requests only (i.e. pages with <h:form>).

    On the other side according to the article http://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JSF-CSRF-Demo/JSF2.2CsrfDemo.html we should add the following element to the faces-config.xml file with the list of JSF pages.

    <protected-views>
   <url-pattern>/csrf_protected_page.xhtml</url-pattern>
</protected-views>

    This protection will also be effective on GET requests (i.e. pages with <f:viewAction>, which is also new since JSF 2.2). Whenever you use <h:link> or <h:button> to create GET links/buttons to those pages, then a new GET request parameter javax.faces.Token with an autogenerated token value will be appended to the URL in the generated HTML output and this parameter would be required when the page in question is declared in <protected-views>.

    This token will in turn be saved in the HTTP session. So, when the same URL is reopened in a different session, e.g. via a bookmark or being shared to another user, then a ProtectedViewException will be thrown which should basically show a message like "Please go back to the page where you found the link and click that link once more", effectively making it unbookmarkable.

    If you want to make them bookmarkable, then you shouldn't be using protected views in first place. Or if you actually want to keep them unbookmarkable but you actually didn't intend to allow the enduser to bookmark/share the URL, then you shouldn't be using GET link/button to this page but instead an ajax POST link/button which opens the desired content in some sort of overlay on the current page, like a modal.

    Should <protected-views> be used for JSF 2.2 CSRF protection?

    Only on pages with <f:viewAction> which you'd like to CSRF-protect. Those with <h:form> are already implicitly protected by javax.faces.ViewState hidden input field, provided that you didn't turn off JSF view state by <f:view transient="true">. See also a.o. CSRF, XSS and SQL Injection attack prevention in JSF.