Issue Details (XML | Word | Printable)

Key: JAVASERVERFACES_SPEC_PUBLIC-559
Type: New Feature New Feature
Status: Open Open
Priority: Major Major
Assignee: Unassigned
Reporter: kito75
Votes: 11
Watchers: 7
Operations

If you were logged in you would be able to see more operations.
javaserverfaces-spec-public

Support for the "Synchronizer Token" pattern (avoiding double submits)

Created: 05/May/09 06:39 PM   Updated: 08/Nov/13 09:15 PM
Component/s: Lifecycle
Affects Version/s: 2.0
Fix Version/s: 2.3

Time Tracking:
Not Specified

File Attachments: 1. File jsf2csrf.war (4.56 MB) 14/Jul/10 10:19 AM - kito75
2. File jsf2token.war (7.25 MB) 14/Jul/10 10:06 AM - kito75

Environment:

Operating System: All
Platform: All


Issuezilla Id: 559
Status Whiteboard:

cat2 frame size_medium importance_large cat3 draft

Tags:
Participants: Ed Burns, joshbrookes, kito75, rogerk and sheetalv


 Description  « Hide

This is a very common web application problem
(http://www.javajunkies.org/index.pl?lastnode_id=3361&node_id=3355) – avoiding
double submits. Struts had built-in support for this. JSF-related implementations:

Spring Web Flow, Struts 2, and Grails 1.1
(http://www.grails.org/1.1+Release+Notes) also support this natively.

I'd really like to see this in JSF 2.1 at the very latest.



Ed Burns added a comment - 11/Aug/09 12:46 PM

Move to 2.1. Also make this handle Dan's concern here:

DA> It's crucial that the enablement of this feature be accompanied by a
DA> secure token being exchanged in the case of server-side state
DA> saving.


Ed Burns added a comment - 24/Nov/09 07:48 AM

Prepare to delete "spec" subcomponent.


Ed Burns added a comment - 14/Dec/09 08:59 AM

Move these to unscheduled because we need to target them correctly. 2.next isn't
specific enough.


rogerk added a comment - 05/Mar/10 07:49 AM

cat2


Ed Burns added a comment - 17/Mar/10 02:12 PM

lifecycle


Ed Burns added a comment - 07/May/10 10:57 AM

Transaction token has been requested many times over the years.


kito75 added a comment - 08/May/10 12:40 PM

I've got some code I wrote for a client based on Shale's token that I can clean up and submit as a
prototype. If you're interested, just let me know when it's time.


Ed Burns added a comment - 15/May/10 07:54 AM

These are targeted at 2.1.


sheetalv added a comment - 10/Jun/10 12:48 PM

triage


Ed Burns added a comment - 24/Jun/10 02:41 PM

GlassFish 3.1 M6 at the latest.


Ed Burns added a comment - 24/Jun/10 02:52 PM

xsrf

Security related, target for GlassFish 3.1 M3


Ed Burns added a comment - 30/Jun/10 05:58 PM

cat3


rogerk added a comment - 01/Jul/10 05:41 AM

Hey Kito -

It's time. Let's see what you have. If you can also submit a proposal that
would be helpful as well.

-roger


rogerk added a comment - 01/Jul/10 05:47 AM

This could probably reside in the core namespace - like f:token ?


Ed Burns added a comment - 01/Jul/10 06:47 AM

Roger, please take a look at https://javaserverfaces.dev.java.net/issues/show_bug.cgi?id=812 for more
valuable information.


rogerk added a comment - 01/Jul/10 12:26 PM

Ahh yes - thanks for the pointer. Apparently there are many ways to skin this
cat ....


kito75 added a comment - 14/Jul/10 10:06 AM

Created an attachment (id=255)
Sample CSRF Solution (JSF 1.2)


kito75 added a comment - 14/Jul/10 10:19 AM

Created an attachment (id=256)
Sample CSRF Solution (JSF 1.2) – the other file is for avoiding double submits


kito75 added a comment - 14/Jul/10 10:38 AM

I have attached two samples:

  • jsf2token.war – sample UIToken component specifically for avoiding double submits (but would
    probably handle CSRF attacks too)
  • jsf2csrf.war – sample solution for handing Cross-site Request Forgery (CSRF) attacks only.

The source for both is in the WEB-INF/classes directory.

The token approach uses a standard JSF component that outputs a hidden field in the form. The hidden
field is created based on a server-generated secret key plus other information, such as the current view
id. What's a little different is that a phase listener decodes the component before Apply Request Values.
The goal here was to check the token before any other decoding takes place. Also, the token isn't
released until after Invoke Application to ensure that application processing has occurred.

For JSF 2, I think either enhancing UIForm, providing an alternate UIForm, or using a ClientBehavior
might be a better option than a separate component. Using UIForm would avoid the need to handle
decoding in the PhaseListener.

The CSRF approach is a little different. It still generates a special token based on a server-generated
secret key, but it does so based on the session, not on the view. It then appends the token to every JSF-
generated request through ViewHandler.getActionURL(). It uses a PhaseListener to ensure that every
incoming request has a valid token.

It's possible to combine these approaches, but I like the way the CSRF approach doesn't require anything
on the part of the developer. The caveat is that since it's session-based, it's probably not secure as a
form-based approach. Also, a form-based variant is required to avoid double-submits.

I'm not familiar with back button solutions, so I can't comment on how this code is applicable.


kito75 added a comment - 14/Jul/10 10:46 AM

We should also consider the Seam <s:token> approach
(http://seamframework.org/Community/NewComponentTagStokenAimedToGuardAgainstCSRF). This is
component-based approach by Dan Allen with two key artifacts:

This approach also uses a cookie to ensure the requests are coming from the same browser, which is a
nice feature (but it should be optional). It also has explicit support for client-side state saving, which
my solution does not.


rogerk added a comment - 22/Jul/10 05:25 PM

re-target


rogerk added a comment - 23/Jul/10 07:33 AM

I've created a separate spec issue for CSRF:
https://javaserverfaces-spec-public.dev.java.net/issues/show_bug.cgi?id=869
as it solves a different problem.


rogerk added a comment - 13/Aug/10 05:08 AM

target


rogerk added a comment - 13/Aug/10 05:58 AM

Starting


rogerk added a comment - 27/Aug/10 10:52 AM

reset priority


rogerk added a comment - 13/Sep/10 08:21 AM

target 2.2


joshbrookes added a comment - 18/May/11 12:11 PM

This issue has remained untouched since mid-Sept of 2010. Is this still being targeted for development or is there a recommended 3rd-party utility that can be used with Mojarra?