RichFaces and Spring Security

strannik_2011 Dec 22, 2014 4:57 AM

I have upgraded Spring Security to 3.2.5 where csrf protection is enabled by default.

Now all my AJAX requests in RF fail with CSRF missing token error. So I had to disable csrf to make it working.

Is it possible to integrate CSRF protection into AJAX requests?

RichFaces 4.5.1

Thanks,

Sergey

1. Re: RichFaces and Spring Security

iabughosh Dec 22, 2014 9:41 AM (in response to strannik_2011)

Hello Sergey,
If you are using JSF 2.2 you can use its embedded feature to protect GET requests (Including Ajax calls) :
- At faces-config file add the following snippet :

<protected-views>

<url-pattern>/your-page.xhtml</url-pattern>

</protected-views>

regards.
Actions
2. Re: RichFaces and Spring Security

strannik_2011 Dec 22, 2014 11:42 AM (in response to iabughosh)

Thank you, Ibrahim.

Do you mean that JSF already enables CSRF protection by default for POST requests?
Actions
3. Re: RichFaces and Spring Security

iabughosh Dec 22, 2014 2:36 PM (in response to strannik_2011)

Yes Sergey, JSF by default protect applications from XSS and CSRF (post request).
Actions