In a past project I worked on we were assigned with protecting the web application we were building against CSRF attacks. We solved this the usual way by generating a token for every session that had to be posted with every form.
We used JSF 2.1 but recently we upgraded to 2.2. When reading about the new features I stumbled upon a small note saying that it JSF now has built-in support for CSRF protection.
see http://jdevelopment.nl/jsf-22/ and search for Cross Site Request Forgery protection
I have not tried this but it seems like a very good thing. I had some problem finding out if something was needed to activate it but finally I found this documentation
http://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JSF-CSRF-Demo/JSF2.2CsrfDemo.html
As it seems all you have to do to activate the CSRF protection is to ass the URL pattern of the pages you want to protect inside a protected-views element in faces-config.xml. See the section called "Implementing CSRF Protection"
If someone tires it out, please comment and let me know of the results.
I tried implementing the solution but the problem I am facing is that I have a big jsf web application with many .xhtml pages so how to include all of those pages in of protected view.
ReplyDelete