JSF 2.x has already builtin CSRF prevention in flavor of javax.faces.ViewState hidden field in the form when using server side state saving. In JSF 1.x this value was namely pretty weak and too easy predictable (it was actually never intended as CSRF prevention). In JSF 2.0 this has been improved by using a long and strong autogenerated value instead of a rather predictable sequence value and thus making it a robust CSRF prevention.
In JSF 2.2 this is even be further improved by making it a required part of the JSF specification, along with a configurable AES key to encrypt the client side state, in case client side state saving is enabled. New in JSF 2.2 is CSRF protection on GET requests by <protected-views>.
使用JSF 1.x的遗留代码,可以扩展form,在form内增加一个token,token通过SessionListener生成,保存在Session中,代码如下:
CsrfSessionListener
public class CsrfSessionListener implements HttpSessionListener {
private static final String CSRF_TOKEN_NAME = "CsrfToken";
@Override
public void sessionCreated(HttpSessionEvent se) {
HttpSession session = se.getSession();
session.setAttribute(CSRF_TOKEN_NAME, UUID.randomUUID().toString());
}
@Override
public void s