David Chandler's Journal of Java Web and Mobile Development

  • David M. Chandler

    Web app developer since 1994 and Google Cloud Platform Instructor now residing in Colorado. Besides tech, I enjoy landscape photography and share my work at ColoradoPhoto.gallery.

  • Subscribe

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 224 other subscribers
  • Sleepless Nights…

    October 2009
    S M T W T F S
  • Blog Stats

    • 1,040,365 hits

Securing JSF Applications Against the OWASP Top Ten

Posted by David Chandler on October 6, 2009

My JSF security presentation in now available in PDF format from the Writings page above.

5 Responses to “Securing JSF Applications Against the OWASP Top Ten”

  1. Srikanth Nittala said

    Hi David,

    I have read your PPT(attached) about security in JSF. It is very interesting and informative. Thank you. I am applying the security fixes suggested by you in my project.
    I am the dev lead for a project where we are using JSF 1.1(Sun’s RI implementation) along with Apache Trinidad and Facelets.
    Now i am writing this email to you to ask a few questions/clarifications about the CSRF fix suggested in your PPT. Slide 41.

    For this step: Decorate ViewHandlerImpl to override getActionURL() and append a hash of the URL

    I have the code written like this:

    public class MyViewHandler extends FaceletViewHandler{

    public MyViewHandler(ViewHandler parent) {

    public String getActionURL(FacesContext context, String viewId){
    String actionUrl = super.getActionURL(context,viewId);

    log.info("MyViewHandler:Sending action url as --->"+actionUrl+actionUrl.hashCode());
    return actionUrl+"#"+actionUrl.hashCode();

    Now my questions are for these two steps:
    Write custom phase listener to
    - Generate new token in Session for each request.
    Q: Could you please elaborate more on this? Does this mean i have to generate a hash of the incoming url and set it in a session variable?
    - Compare hash in the URL with expected token.
    Q: Do I need to do this in the same phase listener? I guess i have not understood this well but we just put the hashcode of the url in session and we compare the value stored in the session to the url i just retrieved in the above step. I am sure i am missing something here.

    Now i have my code written as :

    public class CsrfListener implements PhaseListener{
    private Log log = LogFactory.getLog(this.getClass());

    public CsrfListener() {

    public void afterPhase(PhaseEvent phaseEvent) {

    public void beforePhase(PhaseEvent phaseEvent) {
    FacesContext facesContext = phaseEvent.getFacesContext();
    ExternalContext ectx = facesContext.getExternalContext();
    HttpSession session = (HttpSession)ectx.getSession(false);
    String url = new String(((HttpServletRequest) ectx.getRequest()).getRequestURI());

    ("CsrfListener:beforePhase. url-->"+url);


    public PhaseId getPhaseId() {
    return PhaseId.RESTORE_VIEW;


    • You’re on the right track, Srikanth. The idea is to create a secret key (any secure random will do) for each session. The ViewHandler getActionUrl() method computes the MD5 or other crypto hash of (URL, secret_key), encodes it using Base-64 to make it URL-safe, and appends the resulting hash token as a URL parameter. The phase listener computes the same hash for each incoming request using the secret key and verifies that the computed hash matches the hash appended to the URL. Unfortunately, I cannot publish the code for this.

      Hope that helps, /dmc

      • Srikanth said

        Thanks David. This helped. We ran a security scan for CSRF and the tool didnt report CSRF problems now. It seems to be working.

  2. Srikanth said

    Just a comment. I changed the Phase Id to RENDER_RESPONSE. I think that is important.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: