I am steeped in Struts, and I am starting to learn JSF 2.0. Can I keep using what worked in Struts to reduce attack vectors, or are there new attack vectors that I will need to code for?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am steeped in Struts, and I am starting to learn JSF 2.0. Can I keep using what worked in Struts to reduce attack vectors, or are there new attack vectors that I will need to code for?
JSF/Facelets by default already escapes output in
UIOutputandUIInputcomponents. So as long as you redisplay user-controlled input by<h:outputText>and<h:inputWhatever>, then the XSS part is safe.JSF has also builtin prevention against CSRF by the
javax.faces.ViewStatehidden input field. Prior to JSF 2.1 this is only “too easy” to guess, see also JSF impl issue 812 and JSF spec issue 869. This has recently (3 Oct 2010) been fixed for JSF 2.1.Note that the prevention against SQL injection attacks is not the responsibility of a web MVC framework. You need to solve that part in the data layer. If you use JPA the right way (i.e. do not concatenate user-controlled input in a SQL string, but use parameterized queries), then that part is safe as well.