Geek Answers Handbook

The view declared in <protected-views>, still available after manipulating the CSRF token

I am learning new features in JSF 2.2 (pretty cool so far), but I still don't understand how Protected Views works, I created facelet1 with a link to facelet2, for example:

<h:link styleClass="link" value="Go to protected page" id="link1"
    outcome="/protected/facelet2.xhtml"></h:link>

and in my faces-config.xml I added the following:

<protected-views>
    <url-pattern>/protected/facelet2.xhtml</url-pattern>
</protected-views>

Now that I have launched the page, a token has been added to the URL:

http://localhost:8080/<project>/protected/facelet2.faces?javax.faces.Token=1426608965211

According to the documentation, if the token does not match the address on the server, the GET request is not processed (do I understand correctly?).

But if I modify the token (using Firebug or the developer tools included in the browser), the request is still processed, even if the token has been changed.

Am I doing something wrong?

+4
1

, FacesServlet, -, URL JSF 1.0 *.faces URL- JSF 2.0 *.xhtml. <protected-views><url-pattern> URL, .

Mojarra 2.2.10:

  • / Servlet 12.1 ( , , !). . , , /protected/*.

  • <h:link> URL URL, JSF. , , URL- JSF (, ), <url-pattern>. , , , , .

, , URL JSF 1.0 *.faces.

<protected-views>
    <url-pattern>/protected/facelet2.xhtml</url-pattern>
    <url-pattern>/protected/facelet2.faces</url-pattern>
</protected-views>

javax.faces.application.ProtectedViewException . FacesServlet *.xhtml web.xml.

<servlet-mapping>
    <servlet-name>facesServlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

URL-.

Mojarra issue 3837.

. :

+4

More articles:


All Articles