0

Scenario:

I have a JSF 2.2 application that is integrated with Spring Boot (Joinfaces) and Spring Security for login. I've read that JSF 2.2 has built in CSRF protection (we have a basic app, backing bean view scoped):

https://arjan-tijms.omnifaces.org/p/jsf-22.html#869

That said - On the login page, we have 4 inputs

  1. User
  2. Password
  3. Dropdown selection (preloaded from backing bean)
  4. Dropdown selection (populated based on input #3, ajax)

I started to get curious about what would happen with CSRF enabled in Spring Security and immediately noticed that the dropdown in #4 does not populate (302 in the network - so it seems it was CSRF'd?)

However - if I disable CSRF in Spring Security, doesn't it also disable it at the login page? So wouldnt I be able to force a login from another domain?

@Override
protected void configure(HttpSecurity http) throws Exception 
{
     http.csrf().disable();
     //http.csrf().ignoringAntMatchers("/pages/*");
}

Is there a way to somehow allow CSRF protection for the login page, allow the ajax call to successfully complete and populate input #4 and also disable for all other views? I realize there is an ignoreAntMachers which I can use for the last part of my question, but it enables for login and thus breaks the ajax call to populate the dropdown.

Kukeltje
  • 12,223
  • 4
  • 24
  • 47
user10776719
  • 301
  • 4
  • 15
  • I don't see any JSF in your question, so it is very hard to comment – Kukeltje Jul 02 '20 at 18:46
  • JSF is just the framework that is being used for the view layer. There isn't an issue with JSF per se, I just want to confirm what I found about JSF 2.2 and CSRF and then how can I ensure Spring Security configuration that allows for CSRF protection at the Login page (Spring Security) and the JSF views – user10776719 Jul 02 '20 at 19:43
  • What you found/read is correct in the Arjan Tijms article, see also https://stackoverflow.com/questions/7722159/csrf-xss-and-sql-injection-attack-prevention-in-jsf. But what you _**aks**_ is unclear. Certainly from a JSF point of view, since we cannot see your login page and cannot see/determine what the role of JSF is (if at all). There is a reason [ask] states to create a [mcve]. – Kukeltje Jul 02 '20 at 20:03
  • Am I correct to assume your problem is solved? – Kukeltje Jul 06 '20 at 18:02

0 Answers0