I've put s:token with attributes requireSession set to false, allowMultiplePosts set to true into all my forms to prevent XSRF. I use ratproxy for testing:
./ratproxy -v . -w myFile.log -d myHost -p 8080 -lextifscgjmX
(notice the X)
and when I click on a h:commandButton I get this on JBoss console :
WARN [lifecycle] viewId: /home.xhtml - Form signature invalid org.jboss.seam.ui.UnauthorizedCommandException: viewId: /home.xhtml - Form signature invalid at org.jboss.seam.ui.renderkit.TokenRendererBase.doDecode(TokenRendererBase.java:110) [...] ERROR [lifecycle] JSF1054: (Phase ID: APPLY_REQUEST_VALUES 2, View ID: /home.xhtml) Exception thrown during phase execution: javax.faces.event.PhaseEvent[source=com.sun.faces.lifecycle.LifecycleImpl@943658]
so I've put into pages.xml at the to of 'exception section' :
<exception class="org.jboss.seam.ui.UnauthorizedCommandException" log="false"> <redirect view-id="/error.xhtml"> <message severity="error">#{messages['exception.FormSignatureException']}</message> </redirect> </exception>
in hope that it will catch and not 'spam' my log with GBs of exceptions in case of active attack or testing. Unfortunately exception keeps showing :(
please advice
Same goes with Nessus.
How should I proceed ?