voyent
CSRF Guard with Icefaces 1.8  XML
Forum Index -> General Help
Author Message
johnsky

Joined: 24/Apr/2012 17:49:14
Messages: 3
Offline


Hi,
I am trying out csrf guard which is a security framework protecting jsf apps against csrf attacks.
My current app is using icefaces 1.8.3 with seam on a JBoss 7.
So far the first integration steps are quite successful.

CSRF Guard injects hidden input parameters based on a JS-Script on each new page.
In the case of select-menus and partial submits it is ocurring the following problem:
first request sends the csrf-token correctly. But after partially refreshing the page it looses the token, because csrf guard does not detect it as a fully form submit. So it is not re-injecting the token.

My question:
is there an attribute which I can add to my csrf-token which tells icefaces NOT to eliminate this token?

Thanks in advance
ted.goddard

Joined: 26/Oct/2004 00:00:00
Messages: 874
Offline


ICEfaces 1.8 already protects against CSRF by a similar mechanism, but if integration specifically with CSRF Guard is desired, some investigation would be required (contact product.support@icesoft.com)

It is possible that adding a hidden form field with the same name that CSRF Guard is using would allow it to update the value, yet preserve it between ajax updates. The difficulty here is that the version of JSF being used may not allow prependId=false.
[Email]
johnsky

Joined: 24/Apr/2012 17:49:14
Messages: 3
Offline


Thanks, didn't know that! Good to hear ...

How can I review this functionality? Is there some documentation about it?

I saw this post:
http://www.icesoft.org/JForum/posts/list/15275.page#sthash.FFS12sVb.dpbs
but it points to a whitepaper which doesnt say anything about csrf

Thanks in advance
ted.goddard

Joined: 26/Oct/2004 00:00:00
Messages: 874
Offline



The whitepaper link appears to be no longer functional for that version, but the initial implementation is in this JIRA. Essentially, the icefacesID provides the CSRF protection token:

http://jira.icesoft.org/browse/ICE-1366
[Email]
 
Forum Index -> General Help
Go to:   
Powered by JForum 2.1.7ice © JForum Team