1

In our applications, there is inter war communications. Were one WAR sends http request to other. One/first WAR made up of JSP, Struts we have owasp csrf guard is implemented and configured for all its pages. The other/second WAR is made of spring, JSF. We have <protected-views> <url-pattern>**/*.xhtml</url-pattern> configuration in the faces-config.xml configuration file. When the navigation from the first war enters the second war. The csrf security is already enabled for the second war.

This causes s problem blocking JSF's own flow throwing 403 forbidden access + csfr token null error. I don't know how to enable csrf for JSF pages.

Also, I don't want to disable the csrf security. Tried googling but no help. Dose some one has some examples or tutorials link. Or guide me how to do the same.

Please find the image attached.

Chrome Developer console

Thanking you in advance

Regards

Sharry India
  • 341
  • 1
  • 9
Ameya
  • 1,914
  • 4
  • 29
  • 55
  • Read this: https://stackoverflow.com/questions/26969415/should-protected-views-be-used-for-jsf-2-2-csrf-protection – Kukeltje Jul 28 '17 at 17:19
  • I have tried the approach using **/*.xhtml to apply the protection to all pages, but not working. still the same error. – Ameya Jul 31 '17 at 10:16
  • I did not state it would solve your actual problem. JSF already has crsf incorporated and this Q/A states in tne comments that for get requests in jsf it useless – Kukeltje Jul 31 '17 at 10:55
  • JSF has CSRF built in so if you disable the **additional** CSRF you still have it. – Kukeltje Aug 01 '17 at 06:35
  • Hi Kukeltje, can you please elaborate your comment? – Ameya Aug 01 '17 at 08:20
  • JSF has CSRF built in. So disabling your custom version will result in there still being CSRF... Can't make it more clear... – Kukeltje Aug 01 '17 at 09:12
  • No did not help – Ameya Aug 02 '17 at 12:57
  • Good luck then... for me your last statement is unclear. Totally. I have CRSF protection in JSF without any additional tooling and it works... – Kukeltje Aug 02 '17 at 13:04
  • https://www.packtpub.com/mapt/book/application_development/9781782176466/9/ch09lvl1sec84/jsf-security-notes – ℛɑƒæĿᴿᴹᴿ Feb 21 '18 at 19:30
  • Does this answer your question? [How to enable CSRF protection in JSF-Spring integrated application](https://stackoverflow.com/questions/26886121/how-to-enable-csrf-protection-in-jsf-spring-integrated-application), see the answer below – Kukeltje Jan 14 '20 at 07:55

1 Answers1

1

Got this issue resolved by writing a CSRFFormRenderer extending FormRenderer. Link is here

Ameya
  • 1,914
  • 4
  • 29
  • 55