[Owasp-csrfguard] How to use CSRFGuard3 with JSF

Smith, Patrick (Detroit, MI) patrick.smith at hp.com
Thu Mar 19 13:32:58 UTC 2015


I'm looking for an example of how to include CSRFGuard into a JSF application,  in particular what you need to add to the XHTML files.  I've got the CSRFGuard JAR deployed, the web.xml configured and the CSRFGuard properties set.   The CSRFGuard is protecting our app at runtime.

I'm trying to do the final piece;  to have our web pages include and send the CSRF token.  Our app is not using Javascript and we're using Mojarra JSF in Java v1.6.

I've added this to our template.xhtml page:

<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"
      xmlns:h="http://java.sun.com/jsf/html"
      xmlns:f="http://java.sun.com/jsf/core"
      xmlns:ui="http://java.sun.com/jsf/facelets"
      xmlns:mapir="http://java.sun.com/jsf/composite/control"
      xmlns:csrf="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld">

It doesn't look right to me but that's the only example I could find on the internet.

I then added a <csrf-form> tag into the template.xhtml as a test as follows :

        <csrf:form>
                <h:outputLabel value="Test label:" />
                <h:inputText value="default input" />
                <h:button>Test Button</h:button>
        </csrf:form>

When looking at the web page source the csrf-form tag is not being converted into an HTML.  I see this in the web page source:

<html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:csrf="http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project/Owasp.CsrfGuard.tld"><head>
.
.
.
        <csrf:form>
                <label>
Test label:</label><input type="text" name="j_idt14" value="default input" /><input type="button" onclick="window.location.href='/mapir-public/common/dashboard.jsf'; return false;" value="" />Test Button
        </csrf:form>

The csrf:form tag is not translated.

What am I doing wrong here?  Is there a complete simple example of how to use CSRFGuard3, JSF (Mojarra) without using Javascript?

Sincerely,


Pat
PATRICK L. SMITH
Technical Consulting
Application Development Services
HP Enterprise Services
Mobile +1 248.941.5451
PC Phone +1 404.648.7363
Email patrick.smith at hp.com<mailto:patrick.smith at hp.com>

 [cid:image006.gif at 01CB49D2.5164A020] <http://www.hp.com/>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20150319/7666417c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Picture (Device Independent Bitmap) 1.jpg
Type: image/jpeg
Size: 1145 bytes
Desc: Picture (Device Independent Bitmap) 1.jpg
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20150319/7666417c/attachment.jpg>


More information about the Owasp-csrfguard mailing list