Uploaded image for project: 'MyFaces Core'
  1. MyFaces Core
  2. MYFACES-3714

Implement stateless mode using f:view "transient" attribute

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.2.0-beta
    • Component/s: JSR-344
    • Labels:
      None

      Description

      Implement stateless mode using f:view "transient" attribute

      The big problem with this stuff is what happen when view protection is considered and the resulting relationship between the state mode used (client or server) and mixing everything together.

      For example, view protection relies on what's inside javax.faces.ViewState hidden field and how it is encoded. Theorically javax.faces.ViewState protects against CSRF attacks, but with a special stateless token it could be possible to use that token into non stateless views. We should prevent that adding proper checks into the StateManagementStrategy and the Restore View phase.

      In theory, it is necessary to extend org.apache.myfaces.application.StateCache abstract class to reflect the necessary logic to ensure protected views are always secured, even if they are declared as stateless.

        Attachments

          Activity

            People

            • Assignee:
              lu4242 Leonardo Uribe
              Reporter:
              lu4242 Leonardo Uribe
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: