[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-4007) Provide an <s:token> UI component to secure JSF forms against cross-site request forgery (XSRF)

Dan Allen (JIRA) jira-events at lists.jboss.org
Wed Mar 11 10:21:23 EDT 2009

Provide an <s:token> UI component to secure JSF forms against cross-site request forgery (XSRF)

                 Key: JBSEAM-4007
                 URL: https://jira.jboss.org/jira/browse/JBSEAM-4007
             Project: Seam
          Issue Type: Feature Request
          Components: JSF Controls
    Affects Versions: 2.1.1.GA
            Reporter: Dan Allen
             Fix For: 2.1.2.GA

Introduce the UI component tag <s:token> to secure JSF form posts against cross-site request forgery (XSRF) attacks. Please note that if the solution below is implemented in JSF 2, then Seam does not need to provide a custom solution and this issue can be closed. However, we still need to implement something equivalent for Seam Remoting.

The problem today is that when using client-side state saving, a form POST can be crafted (forged) to submit into a JSF application from an external site (cross-site). The serialized view is simply passed in the javax.faces.ViewState parameter. JSF will blindly recreate the view and process the request.

Server-side state saving is equally insecure since all the forged POST has to do is provide the identifier of the view state on the server in the javax.faces.ViewState parameter. Actually, this is only a problem since JSF generates sequential identifiers per session in the form j_id + # of views in session.

Server-side state saving becomes event more problematic in JSF 2.0 since Facelets' "build during restore" feature is enabled by default. In this case, the javax.faces.ViewState parameter isn't even required since JSF will recreate the view before processing the request.

The <s:token> UI component will perform two steps. First, it will assign a unique identifier to the browser using a cookie that lives until the end of the browser session. This is roughly the browser's private key. The <s:token> tag is used inside of an <h:form> and generates a hidden form field named javax.faces.FormSignature. The form signature is calculated as follows:

sha1( signature = viewId + "," + formClientId, salt = clientUid )

The developer can also choose to incorporate the session id into this hash for a more secure token (at the cost of binding it to the session)

sha1( signature = viewId + "," + formClientId + "," + sessionId, salt = clientUid )

When the form is submitted, the hash is recreated and compared against the value of the javax.faces.FormSignature parameter.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


More information about the seam-issues mailing list