Java EE 7: Implementing CSRF Protection with JSF 2.2
Overview
- Create a Java Platform, Enterprise Edition 7 (Java EE
7) web application
- Develop two JSF pages:
csrfExample.xhtml
andcsrf_protected_page.xhtml
- Modify the web application to implement CSRF protection
- Deploy the project to the GlassFish Server and verify the
CSRF protection feature
- Download and install the latest JDK from this link (Java Platform, Standard Edition 7u21 recommended).
- Download and install NetBeans 7.3.1 with Java EE, which includes GlassFish 4 (Java EE download bundle) from this link. During installation, be sure to select the check box to install GlassFish. JUnit is an optional installation and is not required for this tutorial.
- Have installed the required software.
- Ensure that NetBeans is running.
Purpose
This tutorial covers how to implement Cross-Site Request
Forgery (CSRF) protection with JavaServer Faces 2.2 (JSF 2.2).
Time to Complete
Approximately 45 minutes
Introduction
CSRF is a type of attack that tricks the browser into sending
requests which the user did not actually intend to initiate. For
example, this attack could result in transferring funds,
changing passwords, or purchasing items in the user's context.
In JSF 2.2, postback requests and non-postback requests (like
GET) are inspected for protection. For postback requests, the
client state or view state is “on” by default; for non-postback
requests, a new configuration element, <protected
views>
, was implemented.
In this tutorial, you learn how to:
Hardware and Software Requirements
The following is a list of hardware and software requirements:
Prerequisites
Before starting this tutorial, you should:
Creating a Web Application
In this section, you create a Java EE 7 web application in the NetBeans IDE.
Developing the JSF Pages
In this section, you create two JSF pages: csrfExample.xhtml
and csrf_protected_page.xhtml
.
Modifying the csrfExample
JSF Page
In this section, you modify the csrfExample
JSF page. You add the following components:
<h:commandButton>
generates a POST request and <h:link
>
generates a GET request.
Modifying the csrf_protected_page
JSF Page
In this section, you modify csrf_protected_page
.
Testing Without CSRF Protection
In this section, you test the project by deploying and running it without CSRF protection for the POST and GET requests.
Implementing CSRF Protection
In this section, you modify the project to implement the CSRF
protection feature for non-postback requests, like GET, by
declaring the <protected-views>
element in faces-config.xml
.
Testing with CSRF Protection
In
this section, you verify the CSRF protection feature by
deploying and running the project .
Summary
- Create a Java EE 7 web application
- Implement CSRF protection with JSF 2.2
In this tutorial, you learned how to:
- Java EE 7 Tutorial
- JSF 2.2 Specification
- Learn more about CSRF from OWASP
and OWASP
Principles.
- To learn more about Java EE, refer to additional OBEs in the Oracle Learning Library.
- Lead Curriculum Developer: Anjana Shenoy
- Editor: Susan Moxley
- QA:
Diganta Choudhury
Resources
Credits
To help navigate this Oracle by Example, note the following:
- Hiding Header Buttons:
- Click the Title to hide the buttons in the header. To show the buttons again, simply click the Title again.
- Topic List Button:
- A list of all the topics. Click one of the topics to navigate to that section.
- Expand/Collapse All Topics:
- To show/hide all the detail for all the sections. By default, all topics are collapsed
- Show/Hide All Images:
- To show/hide all the screenshots. By default, all images are displayed.
- Print:
- To print the content. The content currently displayed or hidden will be printed.
To navigate to a particular section in this tutorial, select the topic from the list.