David Chandler's Journal of Java Web and Mobile Development

  • David M. Chandler

    Web app developer since 1994 and Google Cloud Platform Instructor now residing in Colorado. Besides tech, I enjoy landscape photography and share my work at ColoradoPhoto.gallery.

  • Subscribe

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 224 other followers

  • Sleepless Nights…

    October 2006
    S M T W T F S
  • Blog Stats

    • 1,034,589 hits

Archive for October, 2006

Hacking JSF Requiredness Checking

Posted by David Chandler on October 14, 2006

MyFaces committer Matthias Weßendorf and I spent a few minutes this afternoon at ApacheCon confirming what I suspected about validation of required values in JSF. Normally, if you leave a required field empty, it will show up as an empty string and JSF will properly check for requiredness. But if, for a given required field, you remove the name-value pair from the POST altogether using a man-in-the-middle tool (MITM), JSF will not detect the missing required field.  This is also an issue in the Sun RI and in fact results from unclear, if not conflicting, requirements in the JSF spec as detailed at the JIRA link below.

This issue is being tracked on the MyFaces JIRA https://issues.apache.org/jira/browse/MYFACES-1467, where you can also obtain the patch I’ve submitted.


Posted in JavaServer Faces | Comments Off on Hacking JSF Requiredness Checking

MyFaces Security Presentation Now Available

Posted by David Chandler on October 11, 2006

My ApacheCon presentation, Securing MyFaces Applications Against the OWASP Top Ten, has been updated for OWASP 2007 and is available here as well as directly from my Writings page above (along with video).

Securing JSF Applications Against the OWASP Top Ten (PowerPoint)


Posted in JavaServer Faces, Web App Security | 1 Comment »

%d bloggers like this: