<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Folks - <br>
<br>
I have combined the previous two proposals into one based on
valuable feed back from <br>
Kito Mann and Neil Griffin:<br>
<br>
On 9/27/10 5:12 PM, Kito Mann wrote:
<blockquote
cite="mid:AANLkTimifX4bJiukQExfmSwY-8M9_B_1MwRejxGTraX5@mail.gmail.com"
type="cite">On Tue, Sep 21, 2010 at 1:15 PM, Roger Kitain <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:roger.kitain@oracle.com">roger.kitain@oracle.com</a>></span>
wrote:<br>
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<br>
There are two proposals for enhancing CSRF attacks in JSF. We
need to pick one.<br>
</blockquote>
<div><br>
Why? I think it's actually safer to allow both: <a
moz-do-not-send="true"
href="http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL">http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL</a>.
According to this, appending the token works better when you
can't guarantee that a server-side operation is occurring only
through POST. Especially with the new capabilities of JSF 2
for parsing view parameters, I don't think we can make this
guarantee.<br>
<br>
Also, the rewriting approach is what they're using for the
generic filter in Tomcat 7: <a moz-do-not-send="true"
href="http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL">http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Disclosure_of_Token_in_URL</a>.
I was talking to Mark Thomas, the guy working on this feature,
about this at JavaOne. As you can see, it doesn't even look
like they're using the hidden field approach (probably because
it'd be very hard to implement in a generic fashion). <br>
<br>
So, I think we should provide both features, but give the
users to turn off either algorithm, with a context parameter
such as:<br>
<br>
javax.faces.CSRF_ALGORITHM=NONE | FORM | URL | BOTH (or ALL)<br>
<br>
</div>
</div>
</blockquote>
On 9/21/10 4:20 PM, Neil Griffin wrote:
<blockquote
cite="mid:E788CC07-BE1D-45AE-8475-299F1983517A@portletfaces.org"
type="cite">#1 is probably not compatible with portlets. Portals
are in full control of creation of URLs in general, and it is not
possible to simply append "&javax.faces.Token=XYZ" to a
portal's ActionURL and expect it to work.
<div>
<div><br>
</div>
<div>#2 is compatible with portlets, but it would be best to
have the hidden field namespaced. Otherwise it would be like
javax.faces.VIEW_ID which is not namespaced, and can cause
problems in portals.</div>
</div>
</blockquote>
<blockquote
cite="mid:E788CC07-BE1D-45AE-8475-299F1983517A@portletfaces.org"
type="cite">
<div>
<div>Neil</div>
</div>
</blockquote>
<br>
==============================================<br>
<br>
<pre>This proposal does the following:
- Token is generated on the server consisting (minimally) of a randomly
generated "secret key" (stored in session). The token can be generated
upon session creation, or, at the time the token hidden field and/or
token Url parameter is produced.
- Standard context parameter javax.faces.CSRF_ALGORITHM controls where the
token is produced by the following values:
a. "form" : token is produced as the value of the hidden field with the name
<form client id>:javax.faces.Token where <form client id> is the
enclosing form's client identifier (produced with getClientId) - i.e.
the hidden field is namespaced using the form's client identifier.
b. "url" : token is produced and appended as a parameter to the form's
action Url with the same name as in [a].
c. "all" : token is produced as in [a] *and* [b]
d. "none" : no token is produced
The default is [a] "form".
- After render time, a subsequent action will send the token to the server.
- Restore View Phase processing compares the incoming token request parameter
value with the token value generated from the secret key in the session.
Spec Document Modifications:
Section 7.5.1:
getActionURL:
The returned URL must contain the
parameter with a name consisting of the form's fully namespaced
client identifier, the NamingContainer.SEPARATOR_CHAR and the constant
defined by ResponseStateManager.VIEW_TOKEN_PARAM,
if the configuration option javax.faces.CSRF_ALGORITHM
is set to "url" or "all". The value of this parameter, known
as the "token value" must be a cryptographically produced random generated
value (known as the "secret key") retrieved from the session. If the
"secret key" does not already exist in the session, create the random value
and store it in the session. Implementations may choose to produce a more
complex token value by combining the random "secret key" with other values.
Section 2.2.1
"If the value of the configuration option javax.faces.CSRF_ALGORITHM
is not "none" verify the "javax.faces.Token" request parameter value is
the same as the token value generated from the "secret key" stored in the
session. If the values do not match, throw a meaningful exception.
The exception message must not include the token value."
Standard RenderKit Docs
- Form Rendering
Render a hidden field named javax.faces.Token using the
ResponseStateManager.VIEW_TOKEN_PARAM constant if the configuration option
javax.faces.CSRF_ALGORITHM is set to the key words "form" or "all".
The name must be namespaced with the enclosing form's client identifier. Render
the value of this hidden field, known as the "token value", as a cryptographically
produced random generated value (known as the "secret key") retrieved from the
session. If the "secret key" does not already exist in the session, create the random value and
store it in the session. Implementations may choose to produce a more complex token value by
combining the random "secret key" with other values.
Implementation Changes are attached to this issue:
[1] <a class="moz-txt-link-freetext" href="https://javaserverfaces-spec-public.dev.java.net/issues/show_bug.cgi?id=869">https://javaserverfaces-spec-public.dev.java.net/issues/show_bug.cgi?id=869</a>
-roger
</pre>
<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
<a class="moz-txt-link-abbreviated" href="mailto:roger.kitain@oracle.com">roger.kitain@oracle.com</a>
<a class="moz-txt-link-freetext" href="https://twitter.com/rogerk09">https://twitter.com/rogerk09</a>
<a class="moz-txt-link-freetext" href="http://www.java.net/blogs/rogerk">http://www.java.net/blogs/rogerk</a> </pre>
</body>
</html>