I am trying out csrf guard which is a security framework protecting jsf apps against csrf attacks.
My current app is using icefaces 1.8.3 with seam on a JBoss 7.
So far the first integration steps are quite successful.
CSRF Guard injects hidden input parameters based on a JS-Script on each new page.
In the case of select-menus and partial submits it is ocurring the following problem:
first request sends the csrf-token correctly. But after partially refreshing the page it looses the token, because csrf guard does not detect it as a fully form submit. So it is not re-injecting the token.
is there an attribute which I can add to my csrf-token which tells icefaces NOT to eliminate this token?
ICEfaces 1.8 already protects against CSRF by a similar mechanism, but if integration specifically with CSRF Guard is desired, some investigation would be required (contact firstname.lastname@example.org)
It is possible that adding a hidden form field with the same name that CSRF Guard is using would allow it to update the value, yet preserve it between ajax updates. The difficulty here is that the version of JSF being used may not allow prependId=false.