Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0
    • Fix Version/s: 2.2 Sprint 4
    • Component/s: Security
    • Labels:
      None
    • Environment:

      Operating System: All
      Platform: Macintosh

    • Issuezilla Id:
      869
    • Status Whiteboard:
      Hide

      size_medium importance_large draft

      Show
      size_medium importance_large draft

      Description

      The specification should specify a solution for preventing CSRF (Cross Site
      Request Forgery) for implementations to use. See:
      https://javaserverfaces.dev.java.net/issues/show_bug.cgi?id=812

      1. 20110920-i_spec_869.patch
        32 kB
        Ed Burns
      2. 869-hidden.txt
        76 kB
        rogerk
      3. 869-hidden.txt
        76 kB
        rogerk
      4. 869-hidden.txt
        68 kB
        rogerk
      5. 869-hidden.txt
        54 kB
        rogerk
      6. 869-url.txt
        67 kB
        rogerk
      7. changebundle.txt
        8 kB
        rogerk
      8. changebundle.txt
        7 kB
        rogerk
      9. changebundle.txt
        2 kB
        rogerk
      10. changebundle.txt
        102 kB
        rogerk
      11. changebundle.txt
        104 kB
        rogerk
      12. changebundle.txt
        100 kB
        rogerk
      13. i869.patch
        77 kB
        Ed Burns

        Issue Links

          Activity

          Hide
          Manfred Riem added a comment -

          Closing resolved issue out

          Show
          Manfred Riem added a comment - Closing resolved issue out
          Hide
          Ed Burns added a comment -

          arjan_tijms: yes, it certainly is, and that is why most of the work of this issues is dealing with cases that are not postbacks. In other words, we need a way to protect GET requests within an app from CSRF attacks as well.

          Show
          Ed Burns added a comment - arjan_tijms: yes, it certainly is, and that is why most of the work of this issues is dealing with cases that are not postbacks. In other words, we need a way to protect GET requests within an app from CSRF attacks as well.
          Hide
          arjan tijms added a comment -

          Just wondering about one thing, when state is stored on the server and the value of javax.faces.ViewState is sufficiently random, isn't that also a protection against CSRF? If an attacker can not guess this value, then this also functions as a hidden token, doesn't it?

          Show
          arjan tijms added a comment - Just wondering about one thing, when state is stored on the server and the value of javax.faces.ViewState is sufficiently random, isn't that also a protection against CSRF? If an attacker can not guess this value, then this also functions as a hidden token, doesn't it?
          Hide
          Ed Burns added a comment -

          Committed to trunk.

          Sending applicationIntegration.fm
          Sending preface.fm
          Sending renderingModel.fm
          Sending requestProcessingLifecycle.fm
          Transmitting file data ....
          Committed revision 1032.

          Show
          Ed Burns added a comment - Committed to trunk. Sending applicationIntegration.fm Sending preface.fm Sending renderingModel.fm Sending requestProcessingLifecycle.fm Transmitting file data .... Committed revision 1032.
          Hide
          Ed Burns added a comment -

          Committed to trunk.

          Adding jsf-api/src/main/java/javax/faces/application/ProtectedViewException.java
          Sending jsf-api/src/main/java/javax/faces/application/ViewHandler.java
          Sending jsf-api/src/main/java/javax/faces/application/ViewHandlerWrapper.java
          Sending jsf-api/src/main/java/javax/faces/component/UIViewAction.java
          Sending jsf-api/src/main/java/javax/faces/render/ResponseStateManager.java
          Sending jsf-api/src/main/java/javax/faces/render/package.html
          Sending jsf-ri/conf/test/web.xml
          Sending jsf-ri/src/main/java/com/sun/faces/application/view/MultiViewHandler.java
          Sending jsf-ri/src/main/java/com/sun/faces/config/ConfigManager.java
          Sending jsf-ri/src/main/java/com/sun/faces/config/WebConfiguration.java
          Adding jsf-ri/src/main/java/com/sun/faces/config/processor/ProtectedViewsConfigProcessor.java
          Sending jsf-ri/src/main/java/com/sun/faces/lifecycle/RestoreViewPhase.java
          Sending jsf-ri/src/main/java/com/sun/faces/renderkit/ClientSideStateHelper.java
          Sending jsf-ri/src/main/java/com/sun/faces/renderkit/ResponseStateManagerImpl.java
          Sending jsf-ri/src/main/java/com/sun/faces/renderkit/StateHelper.java
          Sending jsf-ri/src/main/java/com/sun/faces/util/FacesLogger.java
          Sending jsf-ri/src/main/resources/com/sun/faces/LogStrings.properties
          Sending jsf-ri/src/main/resources/com/sun/faces/LogStrings_de.properties
          Sending jsf-ri/src/main/resources/com/sun/faces/LogStrings_es.properties
          Sending jsf-ri/src/main/resources/com/sun/faces/LogStrings_fr.properties
          Sending jsf-ri/src/main/resources/com/sun/faces/LogStrings_ja.properties
          Sending jsf-ri/src/main/resources/com/sun/faces/LogStrings_ko.properties
          Sending jsf-ri/src/main/resources/com/sun/faces/LogStrings_pt_BR.properties
          Sending jsf-ri/src/main/resources/com/sun/faces/LogStrings_zh_CN.properties
          Sending jsf-ri/src/main/resources/com/sun/faces/LogStrings_zh_HK.properties
          Sending jsf-ri/src/main/resources/com/sun/faces/LogStrings_zh_TW.properties
          Sending jsf-test/JAVASERVERFACES_SPEC_PUBLIC-869/i_spec_869_war/src/main/webapp/WEB-INF/faces-config.xml
          Sending jsf-test/JAVASERVERFACES_SPEC_PUBLIC-869/i_spec_869_war/src/main/webapp/WEB-INF/web.xml
          Sending jsf-test/JAVASERVERFACES_SPEC_PUBLIC-869/i_spec_869_war/src/main/webapp/i_spec_869_war.xhtml
          Transmitting file data .............................
          Committed revision 9393.

          Show
          Ed Burns added a comment - Committed to trunk. Adding jsf-api/src/main/java/javax/faces/application/ProtectedViewException.java Sending jsf-api/src/main/java/javax/faces/application/ViewHandler.java Sending jsf-api/src/main/java/javax/faces/application/ViewHandlerWrapper.java Sending jsf-api/src/main/java/javax/faces/component/UIViewAction.java Sending jsf-api/src/main/java/javax/faces/render/ResponseStateManager.java Sending jsf-api/src/main/java/javax/faces/render/package.html Sending jsf-ri/conf/test/web.xml Sending jsf-ri/src/main/java/com/sun/faces/application/view/MultiViewHandler.java Sending jsf-ri/src/main/java/com/sun/faces/config/ConfigManager.java Sending jsf-ri/src/main/java/com/sun/faces/config/WebConfiguration.java Adding jsf-ri/src/main/java/com/sun/faces/config/processor/ProtectedViewsConfigProcessor.java Sending jsf-ri/src/main/java/com/sun/faces/lifecycle/RestoreViewPhase.java Sending jsf-ri/src/main/java/com/sun/faces/renderkit/ClientSideStateHelper.java Sending jsf-ri/src/main/java/com/sun/faces/renderkit/ResponseStateManagerImpl.java Sending jsf-ri/src/main/java/com/sun/faces/renderkit/StateHelper.java Sending jsf-ri/src/main/java/com/sun/faces/util/FacesLogger.java Sending jsf-ri/src/main/resources/com/sun/faces/LogStrings.properties Sending jsf-ri/src/main/resources/com/sun/faces/LogStrings_de.properties Sending jsf-ri/src/main/resources/com/sun/faces/LogStrings_es.properties Sending jsf-ri/src/main/resources/com/sun/faces/LogStrings_fr.properties Sending jsf-ri/src/main/resources/com/sun/faces/LogStrings_ja.properties Sending jsf-ri/src/main/resources/com/sun/faces/LogStrings_ko.properties Sending jsf-ri/src/main/resources/com/sun/faces/LogStrings_pt_BR.properties Sending jsf-ri/src/main/resources/com/sun/faces/LogStrings_zh_CN.properties Sending jsf-ri/src/main/resources/com/sun/faces/LogStrings_zh_HK.properties Sending jsf-ri/src/main/resources/com/sun/faces/LogStrings_zh_TW.properties Sending jsf-test/ JAVASERVERFACES_SPEC_PUBLIC-869 /i_spec_869_war/src/main/webapp/WEB-INF/faces-config.xml Sending jsf-test/ JAVASERVERFACES_SPEC_PUBLIC-869 /i_spec_869_war/src/main/webapp/WEB-INF/web.xml Sending jsf-test/ JAVASERVERFACES_SPEC_PUBLIC-869 /i_spec_869_war/src/main/webapp/i_spec_869_war.xhtml Transmitting file data ............................. Committed revision 9393.

            People

            • Assignee:
              Ed Burns
              Reporter:
              rogerk
            • Votes:
              5 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 5 days
                5d
                Remaining:
                Time Spent - 1 day Remaining Estimate - 4 days
                4d
                Logged:
                Time Spent - 1 day Remaining Estimate - 4 days
                1d