0

I have a jsf 2.2 web application without using the spring framework.

I searched on google and found out that jsf 2.2 provides out of the box csrf protection and you just have to enable it.

So I did that following this link. Jsf2.2 csrf demo

And added this in my faces.config.xml file

<protected-views>
    <url-pattern>/csrf_protected_page.xhtml</url-pattern>
</protected-views>

But how to set up url-pattern for all my .xhtml pages I have tried: 

<url-pattern>/*</url-pattern>
<url-pattern>/*.xhtml</url-pattern>
<url-pattern>/faces/*.xhtml</url-pattern>

But none of these work.

Sanyam Madaan
  • 139
  • 4
  • 14
  • what does 'none of these work' lead to? WW-III? Intrest rates going up? ;-) Or any errors? And please read https://stackoverflow.com/questions/26969415/should-protected-views-be-used-for-jsf-2-2-csrf-protection first. You might not need this after all – Kukeltje Jan 14 '20 at 07:47
  • Affectively btw, you know how to set it up, your title should be _'how to protect many urls in an easy way with '_ – Kukeltje Jan 14 '20 at 07:50
  • @Kukeltje Do you know the solution on how all .xhtml pages can be included in url-pattern? – Sanyam Madaan Jan 14 '20 at 11:19
  • No, did not furter investigate this by using search-engines. – Kukeltje Jan 14 '20 at 11:31
  • And the links you provided are not very much helpful in my scenario. – Sanyam Madaan Jan 14 '20 at 11:41
  • I never said it would solve it. But it DOES contain info that it is sort of not needed for most (all?) pages so a generic 'catch all' is not very relevant. That is where I stopped searching. – Kukeltje Jan 14 '20 at 11:51
  • https://stackoverflow.com/questions/29104597/view-declared-in-protected-views-still-accessible-after-manipulating-csrf-toke – Kukeltje Jan 14 '20 at 13:00

0 Answers0