0

I am new to JSF and Primefaces and I am trying to implement custom portlets for liferay using Primefaces. To submit simple form data I'm using ajax as follows:

<f:ajax execute="@form" render="@form :message-show" listener="#{dataController.addData}" onevent="updateProgresBar" />

Submit will result into ajax call, which has a parameter in url with view mapping, e.g. 

_sampleportlet_WAR_servicexy_INSTANCE_eVh2tM4zSkIj__facesViewIdResource=%2Fview.xhtml

Can you advice whether this view.xhtml mapping is protected against open redirection vulnerabilities as part of JSF/Primefaces spec. or this need to be handled manually? If so, could you advice what is best practice to implement it e.g. some custom filter etc.?

Thanks in advance

giros giros
  • 3
  • 1
  • Each form has a viewState value on it that's submitted with forms for validation to ensure it's the correct one, people if they know your views can hit them from any which way anway, that's upto you to protect if you expect a expected flow - never seen that url mapping before though, maybe it's a liferay thing. – VeenarM Mar 23 '17 at 12:12
  • If I am getting you correctly, I should always check whether e.g. view.xhtml is a valid view on my portlet context, right? – giros giros Mar 23 '17 at 13:40

1 Answers1

1

It is the developer's responsibility to ensure that the current Liferay user has permission to visit specific JSF views that are contained in the portlet application, execute managed bean methods, etc.

For more details, see How do I do security in JSF?

Note that there were three vulnerabilities in Liferay Faces Bridge that were either directly or indirectly related to your question:

In order to ensure that you are using versions of Liferay Faces dependencies that contain fixes for these issues, visit the liferayfaces.org home page and use the drop-down menus to choose your version of Liferay Portal and JSF. After making a selection, the home page will update with the latest Maven/Gradle dependencies.

Community
  • 1
  • 1
Neil Griffin
  • 822
  • 5
  • 10