1

If I have existing JSP Tag Library. In JSP I can add this:

<%@taglib uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" prefix="csrf" %>

<form>
    ...
    <input type="hidden" name="<csrf:token-name/>" value="<csrf:token-value/>"/>
</form>

This is what I tried adding to a JSF2 faclet page. It does not like this.

<html xmlns="http://www.w3.org/1999/xhtml"
    xmlns:f="http://java.sun.com/jsf/core"
    xmlns:h="http://java.sun.com/jsf/html"
    xmlns:csrf="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld">   
...

<h:form  ...>
....
    <input type="hidden" name="#{csrf:token-name}" value="#{csrf:token-value}"/>

    </h:form>

Is it even possible to do what I am thinking I can do?

Right now I am getting this error:

javax.servlet.ServletException: Encountered ":" at line 1, column 7.
Was expecting one of:
    "}" ...
    "." ...
    "[" ...
    ">" ...
    "gt" ...
    "<" ...
    "lt" ...
    ">=" ...
    "ge" ...
    "<=" ...
    "le" ...
    "==" ...
    "eq" ...
    "!=" ...
    "ne" ...
    "&&" ...
    "and" ...
    "||" ...
    "or" ...
    "*" ...
    "+" ...
    "-" ...
    "/" ...
    "div" ...
    "%" ...
    "mod" ...

    at javax.faces.webapp.FacesServlet.service(FacesServlet.java:606)
...
Uooo
  • 6,204
  • 8
  • 36
  • 63
JeffJak
  • 2,008
  • 5
  • 28
  • 40
  • Since facelets, you can't use scriptlets in the page nor any Java code directly in the page. This is a good thing to do. Note that all server side processing **must** be in your controller classes. In this case, in your managed beans, validators, converters, etc. – Luiggi Mendoza Oct 15 '13 at 21:29

2 Answers2

0

The problem is the #{csrf:token-name}. This is expression language, and the csrf is interpreted as a variable (which does not exist). Now, : can not be interpreted, because it is no valid symbol inside an EL expression.

You would have to use name="<csrf:token-name/>", like in your first JSP. Unfortunately, in your JSF2 faclet page, this will lead to malformed XML, and will not work again.

So, what now? It is not possible to set a variable with the contents of <csrf:token-name/>. I took a look at the source of the token tag, and it has no support for setting the token in a variable.

Possible workarounds:

I found a third workaround which possibly solves the problem!

From the CSRF Guard 3 documentation:

Generate Form with Prevention Token

The OWASP CSRFGuard JSP library implements a tag library designed specifically to generate HTML forms with the CSRF prevention token automatically embedded as a hidden field. [...]

Which means you can do:

<csrf:form ...>
    ...
</csrf:form>

Without the need of using an <input type="hidden" name="<csrf:token-name/>" .../> yourself.

Community
  • 1
  • 1
Uooo
  • 6,204
  • 8
  • 36
  • 63
0

Since I had the same issue and there is no good answer on the net I'll share my workaround for the problem

Because you can't use JSP taglib inside a faclets page I came up with the following workaround:

  1. Configure CSRF Guard https://www.owasp.org/index.php/CSRFGuard_3_User_Manual

  2. Create a simple CSRF jsp page (called it "csrfGuard.jsp")

    <%@ taglib uri="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld" prefix="csrf" %> <input type="hidden" name="<csrf:tokenname/>" value="<csrf:tokenvalue/>" />

  3. Insert that page in all forms you need to protect:

    <form action="someAction" method="post"> <o:resourceInclude path="/csrfGuard.jsp" /> ... Your Code ... </form>

Link about Omnifaces resourceInclude http://showcase.omnifaces.org/components/resourceInclude

ontime
  • 113
  • 2
  • 7
  • 2
    JSF2 has builtin CSRF protection when using `` instead of `
    `. This all is unnecessary. Related reading: http://stackoverflow.com/questions/7722159/csrf-xss-and-sql-injection-attack-prevention-in-jsf
     – BalusC Aug 03 '15 at 14:48
  • Yes I realize that, but its not easy to migrate a legacy code to support . Especially if there are 40+ forms inside the project – ontime Aug 03 '15 at 14:50