myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leonardo Uribe (JIRA)" <>
Subject [jira] [Commented] (MYFACES-4164) Unexpected behavior when javax.faces.ViewState is set to "stateless" in a State view
Date Wed, 18 Oct 2017 19:10:00 GMT


Leonardo Uribe commented on MYFACES-4164:

Strange, I remember there was a check in some place for that condition (stateful view with
stateless view state).

> Unexpected behavior when javax.faces.ViewState is set to "stateless" in a State view
> ------------------------------------------------------------------------------------
>                 Key: MYFACES-4164
>                 URL:
>             Project: MyFaces Core
>          Issue Type: Bug
>    Affects Versions: 2.2.12, 2.3.0-beta
>            Reporter: Eduardo Breijo
>         Attachments: ProtectedViewStateless.war
> I have encountered an issue or an unexpected behavior with a stateless value of “javax.faces.ViewState”
hidden input.
> Let’s say you navigate to a state view. When the value attribute of “javax.faces.ViewState”
is changed manually using browser’s developer tools, the application can prevent CSRF attack
by throwing a ViewExpiredException. However, if you modify the value to be “stateless”,
then no ViewExpiredException is thrown.
> Even if you add View Protection to the state view, and modify the value to be “stateless”,
no exception is thrown. 
> The following JIRA issue said that this should be prevented with View Protections but
it seems that’s not working.
> Comparing this behavior with Mojarra, if the you modify the value to be “stateless”,
then the following exception is thrown:
> javax.faces.FacesException: Unable to restore view /stateView.xhtml
> 	com.sun.faces.application.view.FaceletViewHandlingStrategy.restoreView(
> 	com.sun.faces.application.view.MultiViewHandler.restoreView(
> 	javax.faces.application.ViewHandlerWrapper.restoreView(
> 	com.sun.faces.lifecycle.RestoreViewPhase.execute(
>         com.sun.faces.lifecycle.Phase.doPhase(
> I have provided a sample app that demonstrates this behavior.
> Instructions to recreate the behavior on Tomcat:
> 1)	Deploy the app on tomcat
> 2)	Drive a request to http://localhost:8080/ProtectedViewStateless/index.xhtml
> 3)	Click the “Navigate to State View” link
> 4)	Open the Browser’s Developer Tools and modify the value of “javax.faces.ViewState”
to “stateless”
> 5)	Click the “Go to Final View” button. No exception is thrown.
> If you change the MyFaces bundle to a Mojarra bundle and repeat the same steps, you’ll
get the exception I mentioned above.

This message was sent by Atlassian JIRA

View raw message