0

In order to reinforce CSRF protection in my JSF 2.1(Mojarra) app, I would like to send with every request/response (Every HTTP interaction with the server GETs and POSTs) a value and validate it against an existing one on the server side that was created the moment a successful login was made.

I tried a nested <input type="hidden"> in a <p:fragment autoUpdate="true"> with a @RequestScoped bean but i can't afford to go to every <p:commandButton> in my templates and add the id of the form in the update attribute to perform the update(this will trigger validation in the @PostConstruct annotated method).

What are your suggestions ?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Jalal Sordo
  • 1,605
  • 3
  • 41
  • 68
  • Unfortunately, I cant upgrade to 2.2. – Jalal Sordo Oct 13 '17 at 19:19
  • Any one of JSF's back-end components (Phase listener, Navigation Handler, ViewHandler e.t.c.) can provide this – kolossus Oct 14 '17 at 02:45
  • For the Response yes but not for the request.. – Jalal Sordo Oct 14 '17 at 02:59
  • 1
    Should be unnecessary for GETs: https://security.stackexchange.com/a/115810 . POSTs should already be protected by ViewState. – Vsevolod Golovanov Oct 14 '17 at 08:18
  • A phase listener is good across all phases of the JSF lifecycle. Even simpler: a basic servlet filter – kolossus Oct 14 '17 at 09:52
  • A filter will allow me to add param/value to the Request but that's worthless , it doesn't make any sense altering the request on the server side. – Jalal Sordo Oct 16 '17 at 09:07
  • 1
    What exactly is the real world security issue with your particular JSF application? Are you using client side state saving orso? If so, then this is possibly your answer: https://stackoverflow.com/q/30507389. JSF has implicit CSRF protection already. See also https://stackoverflow.com/q/7722159. CSRF on GET is indeed nonsense unless you let your webapp manipulate sensitive data on GET instead of POST, which in turn is a bad practice and can better be solved by simply using POST instead of GET for such case. See also comments on currently accepted answer of https://stackoverflow.com/q/26969415 – BalusC Oct 16 '17 at 11:15

0 Answers0