Does JSF Morjarra 2.1.3 prevent CSRF attacks?

Asked Oct 17 '13 at 14:08

Active Oct 17 '13 at 15:22

Viewed 88 times

I seem to get mixed messages researching on the web. And after reading this: How JSF 2.0 prevents CSRF

Seems like there there is one level of CSRF protection in JSF2.0 & 2.1 (web.xml only)

Seems like there are two levels of CSRF protection with JSF2.2. (web.xml and faces-config change)

For JSF2.x I could add this to web.xml.

<context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>client</param-value>
</context-param>

or use the default this to web.xml:

<context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>server</param-value>
</context-param>

My question is does Morjarra 2.1.3 prevent CSRF attacks using one of these two settings (which one)?

I understand with JSF 2.2 CSRF can be more explicit with this setting by adding the following code to the faces-config.xml file:

<protected-views>
    <url-pattern>/csrf_protected_page.xhtml</url-pattern>
</protected-views>

edited May 23 '17 at 12:05

Community

asked Oct 17 '13 at 14:08

JeffJak

`javax.faces.STATE_SAVING_METHOD` context param exists since JSF 2.0, not from JSF 2.2. And yes, it will do regardless the param value. You have to re read BalusC answer in that question. – Luiggi Mendoza Oct 17 '13 at 14:22

0 Answers0