MyFaces Core
  1. MyFaces Core
  2. MYFACES-3714

Implement stateless mode using f:view "transient" attribute

    Details

    • Type: Task Task
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.2.0-beta
    • Component/s: JSR-344
    • Labels:
      None

      Description

      Implement stateless mode using f:view "transient" attribute

      The big problem with this stuff is what happen when view protection is considered and the resulting relationship between the state mode used (client or server) and mixing everything together.

      For example, view protection relies on what's inside javax.faces.ViewState hidden field and how it is encoded. Theorically javax.faces.ViewState protects against CSRF attacks, but with a special stateless token it could be possible to use that token into non stateless views. We should prevent that adding proper checks into the StateManagementStrategy and the Restore View phase.

      In theory, it is necessary to extend org.apache.myfaces.application.StateCache abstract class to reflect the necessary logic to ensure protected views are always secured, even if they are declared as stateless.

        Activity

        Hide
        Leonardo Uribe added a comment -

        Committed solution for this one. It seems the issues between view protection and stateless views will be clarified in a further version of the spec. For now I think it is ok to consider stateless views as unprotected, and enforce protected views to be not stateless.

        Show
        Leonardo Uribe added a comment - Committed solution for this one. It seems the issues between view protection and stateless views will be clarified in a further version of the spec. For now I think it is ok to consider stateless views as unprotected, and enforce protected views to be not stateless.
        Hide
        Leonardo Uribe added a comment -

        I finally add a check for view protection when the view is stateless views and is a postback. That will be enough, since the documentation suggest the token will be added in ViewHandler.encodeAction(...) method, so if the view is protected, it will be for outcomeTarget links and normal forms too.

        Show
        Leonardo Uribe added a comment - I finally add a check for view protection when the view is stateless views and is a postback. That will be enough, since the documentation suggest the token will be added in ViewHandler.encodeAction(...) method, so if the view is protected, it will be for outcomeTarget links and normal forms too.

          People

          • Assignee:
            Leonardo Uribe
            Reporter:
            Leonardo Uribe
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development