You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Eduardo Breijo (JIRA)" <de...@myfaces.apache.org> on 2017/10/18 18:26:00 UTC
[jira] [Created] (MYFACES-4164) Unexpected behavior when
javax.faces.ViewState is set to "stateless" in a State view
Eduardo Breijo created MYFACES-4164:
---------------------------------------
Summary: Unexpected behavior when javax.faces.ViewState is set to "stateless" in a State view
Key: MYFACES-4164
URL: https://issues.apache.org/jira/browse/MYFACES-4164
Project: MyFaces Core
Issue Type: Bug
Affects Versions: 2.3.0-beta, 2.2.12
Reporter: Eduardo Breijo
Attachments: ProtectedViewStateless.war
I have encountered an issue or an unexpected behavior with a stateless value of “javax.faces.ViewState” hidden input.
Let’s say you navigate to a state view. When the value attribute of “javax.faces.ViewState” is changed manually using browser’s developer tools, the application can prevent CSRF attack by throwing a ViewExpiredException. However, if you modify the value to be “stateless”, then no ViewExpiredException is thrown.
Even if you add View Protection to the state view, and modify the value to be “stateless”, no exception is thrown.
The following JIRA issue said that this should be prevented with View Protections but it seems that’s not working.
https://issues.apache.org/jira/browse/MYFACES-3714
Comparing this behavior with Mojarra, if the you modify the value to be “stateless”, then the following exception is thrown:
javax.faces.FacesException: Unable to restore view /stateView.xhtml
com.sun.faces.application.view.FaceletViewHandlingStrategy.restoreView(FaceletViewHandlingStrategy.java:255)
com.sun.faces.application.view.MultiViewHandler.restoreView(MultiViewHandler.java:157)
javax.faces.application.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:125)
com.sun.faces.lifecycle.RestoreViewPhase.execute(RestoreViewPhase.java:204)
com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)
I have provided a sample app that demonstrates this behavior.
Instructions to recreate the behavior on Tomcat:
1) Deploy the app on tomcat
2) Drive a request to http://localhost:8080/ProtectedViewStateless/index.xhtml
3) Click the “Navigate to State View” link
4) Open the Browser’s Developer Tools and modify the value of “javax.faces.ViewState” to “stateless”
5) Click the “Go to Final View” button. No exception is thrown.
If you change the MyFaces bundle to a Mojarra bundle and repeat the same steps, you’ll get the exception I mentioned above.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)