No CSFR Token (javax.faces.Token) generated when using with MyFaces / JSF

Question

In faces-config.xml

  <protected-views>
        <url-pattern>*.xhtml</url-pattern> #or more specific URL pattern
  </protected-views>

But not Token (protected.xhtml?javax.faces.Token=) was generated and appended to the URL like explained here: Example

I only see the jsessionid Parameter in the URL eg (localhost:8080/x/y/z;jsessionid=mVpYT) Therefore it comes to the expected javax.faces.application.ProtectedViewException in org.apache.myfaces.lifecycle.RestoreViewExecutor.checkViewProtection(RestoreViewExecutor.java:396) which is the point of this protection mechanism I guess.

I am using myfaces-api and core version: 2.3.10.

What am I missing? Thank you..

score 0 · Answer 1 · answered Mar 02 '23 at 10:28

I realized that the mechanism only works for links from another page of the same application and NOT if you call the protected site directly eg. externally or via the URL bar of your browser.

That is because the token must be generated beforehand and will be included in the link like this.

<a href="/availability/login.xhtml?javax.faces.Token=8E1DC107DDAF85A5FD4AFC05AB515B4D">Get Link to Login</a>

This also implies that the page is ONLY reachable via these <h:button> or <h:link> and not any commandButton or commandLink of JSF. Otherwise you will get the ProtectedViewException because the token is missing.

A better way for me to protect against CSRF is to avoid <f:view transient="true"> or <f:viewAction> like explained here.. Should <protected-views> be used for JSF 2.2 CSRF protection?

No CSFR Token (javax.faces.Token) generated when using with MyFaces / JSF

1 Answers1