You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "Eduardo Breijo (JIRA)" <de...@myfaces.apache.org> on 2017/10/18 18:26:00 UTC

[jira] [Created] (MYFACES-4164) Unexpected behavior when javax.faces.ViewState is set to "stateless" in a State view

Eduardo Breijo created MYFACES-4164:
---------------------------------------

             Summary: Unexpected behavior when javax.faces.ViewState is set to "stateless" in a State view
                 Key: MYFACES-4164
                 URL: https://issues.apache.org/jira/browse/MYFACES-4164
             Project: MyFaces Core
          Issue Type: Bug
    Affects Versions: 2.3.0-beta, 2.2.12
            Reporter: Eduardo Breijo
         Attachments: ProtectedViewStateless.war

I have encountered an issue or an unexpected behavior with a stateless value of “javax.faces.ViewState” hidden input.

Let’s say you navigate to a state view. When the value attribute of “javax.faces.ViewState” is changed manually using browser’s developer tools, the application can prevent CSRF attack by throwing a ViewExpiredException. However, if you modify the value to be “stateless”, then no ViewExpiredException is thrown.

Even if you add View Protection to the state view, and modify the value to be “stateless”, no exception is thrown. 

The following JIRA issue said that this should be prevented with View Protections but it seems that’s not working.
https://issues.apache.org/jira/browse/MYFACES-3714


Comparing this behavior with Mojarra, if the you modify the value to be “stateless”, then the following exception is thrown:

javax.faces.FacesException: Unable to restore view /stateView.xhtml
	com.sun.faces.application.view.FaceletViewHandlingStrategy.restoreView(FaceletViewHandlingStrategy.java:255)
	com.sun.faces.application.view.MultiViewHandler.restoreView(MultiViewHandler.java:157)
	javax.faces.application.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:125)
	com.sun.faces.lifecycle.RestoreViewPhase.execute(RestoreViewPhase.java:204)
        com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)


I have provided a sample app that demonstrates this behavior.

Instructions to recreate the behavior on Tomcat:
1)	Deploy the app on tomcat
2)	Drive a request to http://localhost:8080/ProtectedViewStateless/index.xhtml
3)	Click the “Navigate to State View” link
4)	Open the Browser’s Developer Tools and modify the value of “javax.faces.ViewState” to “stateless”
5)	Click the “Go to Final View” button. No exception is thrown.

If you change the MyFaces bundle to a Mojarra bundle and repeat the same steps, you’ll get the exception I mentioned above.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)