This tutorial covers how to implement Cross-Site Request
Forgery (CSRF) protection with JavaServer Faces 2.2 (JSF 2.2).
Time to Complete
Approximately 45 minutes
CSRF is a type of attack that tricks the browser into sending
requests which the user did not actually intend to initiate. For
example, this attack could result in transferring funds,
changing passwords, or purchasing items in the user's context.
In JSF 2.2, postback requests and non-postback requests (like
GET) are inspected for protection. For postback requests, the
client state or view state is “on” by default; for non-postback
requests, a new configuration element,
views>, was implemented.
In this tutorial, you learn how to:
- Create a Java Platform, Enterprise Edition 7 (Java EE
7) web application
- Develop two JSF pages:
- Modify the web application to implement CSRF protection
- Deploy the project to the GlassFish Server and verify the
CSRF protection feature
Hardware and Software Requirements
The following is a list of hardware and software requirements:
- Download and install the latest JDK from this link (Java Platform, Standard Edition 7u21 recommended).
- Download and install NetBeans 7.3.1 with Java EE, which includes GlassFish 4 (Java EE download bundle) from this link. During installation, be sure to select the check box to install GlassFish. JUnit is an optional installation and is not required for this tutorial.
Before starting this tutorial, you should:
- Have installed the required software.
- Ensure that NetBeans is running.
Creating a Web Application
In this section, you create a Java EE 7 web application in the NetBeans IDE.
Developing the JSF Pages
In this section, you create two JSF pages:
csrfExample JSF Page
In this section, you modify the
. You add the following components:
generates a POST request and
generates a GET request.
csrf_protected_page JSF Page
In this section, you modify
Testing Without CSRF Protection
In this section, you test the project by deploying and running it without CSRF protection for the POST and GET requests.
Implementing CSRF Protection
In this section, you modify the project to implement the CSRF
protection feature for non-postback requests, like GET, by
<protected-views> element in
Testing with CSRF Protection
this section, you verify the CSRF protection feature by
deploying and running the project .
In this tutorial, you learned how to:
- Create a Java EE 7 web application
- Implement CSRF protection with JSF 2.2
- Java EE 7 Tutorial
- JSF 2.2 Specification
- Learn more about CSRF from OWASP
- To learn more about Java EE, refer to additional OBEs in the Oracle Learning Library.
- Lead Curriculum Developer: Anjana Shenoy
- Editor: Susan Moxley
To help navigate this Oracle by Example, note the following:
- Hiding Header Buttons:
- Click the Title to hide the buttons in the header. To show the buttons again, simply click the Title again.
- Topic List Button:
- A list of all the topics. Click one of the topics to navigate to that section.
- Expand/Collapse All Topics:
- To show/hide all the detail for all the sections. By default, all topics are collapsed
- Show/Hide All Images:
- To show/hide all the screenshots. By default, all images are displayed.
- To print the content. The content currently displayed or hidden will be printed.
To navigate to a particular section in this tutorial, select the topic from the list.