In our JSF application we can see the below cookies :-
oam.Flash.RENDERMAP.TOKEN
oam.Flash.REDIRECT
Can someone please tell how these cookies can be made secure and HttpOnly. I am using tomcat.
thanks
The answer to this question is that it 'just works' in recent MyFaces versions (2.2.4 and up). A very simple search in a search engine helped me finding it.
https://issues.apache.org/jira/browse/MYFACES-3639
Related
I been working in a project with JSF 2.2 and a requeriment is to pass the Acunetix vulnerabilities validation.
I active protected-views (https://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JSF-CSRF-Demo/JSF2.2CsrfDemo.html) but still the validator says that the site isnt protected for CSRF attacks.
In the documentation says that I need a input hidden for POST request, but in JSF 2.2 says that with protected-views activated its Ok.
Do you know how to solve this problem? Do you have an implementation to solve this?
I've been trying to search for an alternative for browsers that have disabled cookies in their browser and forms that require the antiforgerytoken for validation. How should a case like this be handled?
Any suggestions or alternatives to preventing CSRF in ASP.Net MVC forms would be greatly appreciated.
Thanks you!
You can create your own CUSTOM ANTIFORGERYTOKEN FILTER for more details
check the links...
http://forums.asp.net/t/1938599.aspx
http://www.prideparrot.com/blog/archive/2012/7/securing_all_forms_using_antiforgerytoken
There are a number of alternatives to using AntiForgeryTokens stored in session as part of the Synchroniser Token Pattern. One method gaining traction is the Encrypted Token Pattern, implemented by a Framework called ARMOR. The premise here is that you need neither Session nor cookies in order to maintain CSRF protection in a stateless manner, which won't be interrupted by browser settings, particularly the disabling of cookies.
I need to add CSRF token (p_auth) to my Liferay (ver.6.1.1) portal project.
Liferay provides this ability out of the box with auth.token.check.enabled=true
But it does this only for requests marked with #ActionMapping annotation [source]. At that time, as I need CSRF protection for #ResourceMapping because I have a lot of ajax requests for form submitting.
Thank you for the advice.
You can find the way for implementation of protection in http://www.liferay.com/community/forums/-/message_boards/message/26782849
I am researching stuff I hear regularly that when doing a webapp in JSF 2.0 you are already protected from crossite - scripting and - request forgery. The following excerpt from a SO post confirms this:
In JSF 2.0 this has been improved by using a long and strong autogenerated value instead of a rather predictable sequence value and thus making it a robust CSRF prevention.
Can someone provide some more detail on this? How does this autogenerated value prevent CSRF? Thanks!
How does this autogenerated value prevent CSRF ?
Because it cannot be guessed. So the attacker cannot hardcode it in a hidden field in a form of the attack website (unless the target site has a XSS hole and thus the value can simply be obtained directly by XSS means). If the value is not valid for JSF, then the form submit from the attack website will simply not be processed but instead generate a ViewExpiredException. Please note that the attacker would still need to get the session ID so that it can be passed back through jsessionid URL attribute, so the originally "weak" CSRF protection would still require some XSS hole to obtain the session ID.
After all, I have the impression that you do not understand at all what CSRF is; the answer is rather self-explaining if you understand what CSRF is. In that case, please check the following question: Am I under risk of CSRF attacks in a POST form that doesn't require the user to be logged in?
One thing to remember is that the CSRF-protection in JSF 2.0 is implicit and is only valid for POST requests.
In JSF 2.2 there will be more explicit support for this. I briefly explained this here: http://arjan-tijms.omnifaces.org/p/jsf-22.html
I know that this question seems to be answered by a lot of other threads, but I can't find a solution with JSF 2.0 with Glassfish 3.0.1 for logout an user.
I tried either with a BASIC authentication and FORM authentication using j_security_check as action.
But for the logout method I can't find any of them that works.
I tried using a servlet with session.invalidate(), i used a managed bean tring to invalide the session, but nothing happened. I also tried with j_security_logout without success.
Does someone know what I can do for logout an user?
Calling session.invalidate() should work.
Your problem is probably that you used the browser back button to view a restricted page to test if logout really succeeded, but that page was actually served from the browser cache instead of straight from the webserver over a real HTTP connection.
In that case, you need to instruct the webbrowser to not cache the restricted pages. This way the browser will always request the page straight from the webserver. You can do this with help of a Filter. You can find an example in this question: Prevent user from seeing previously visited secured page after logout