Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Mastering JavaServer Faces 2.2

You're reading from   Mastering JavaServer Faces 2.2 Master the art of implementing user interfaces with JSF 2.2

Arrow left icon
Product type Paperback
Published in Jun 2014
Publisher
ISBN-13 9781782176466
Length 578 pages
Edition 1st Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
Anghel Leonard Anghel Leonard
Author Profile Icon Anghel Leonard
Anghel Leonard
Arrow right icon
View More author details
Toc

Table of Contents (15) Chapters Close

Preface 1. Dynamic Access to JSF Application Data through Expression Language (EL 3.0) FREE CHAPTER 2. Communication in JSF 3. JSF Scopes – Lifespan and Use in Managed Beans Communication 4. JSF Configurations Using XML Files and Annotations – Part 1 5. JSF Configurations Using XML Files and Annotations – Part 2 6. Working with Tabular Data 7. JSF and AJAX 8. JSF 2.2 – HTML5 and Upload 9. JSF State Management 10. JSF Custom Components 11. JSF 2.2 Resource Library Contracts – Themes 12. Facelets Templating A. The JSF Life Cycle
Index

JSF security notes

Dissertations about JSF saving state also imply some aspects regarding JSF security. It appears that saving the JSF state on the client is less secure than saving the JSF state on the server. For the most common security concerns (for example, XSS, CSRF, SQL injection, and phishing), JSF provides implicit protection.

Cross-site request forgery (CSRF)

CSRF and phishing attacks can be prevented by saving state on the server. JSF 2.0 comes with implicit protection against CSRF attacks based on the value of the javax.faces.ViewState hidden field. Starting with JSF 2.2, this protection was seriously fortified by creating a powerful and robust value for this field.

Cross-site scripting (XSS)

XSS attacks are implicitly prevented by JSF through the escape attribute, which is set to true by default (<h:outputText/>, <h:outputLabel/>). The following are the examples:

<p>Hi, <h:outputText value="#{loginbean.name}" /></p>
<p>Hi, #{loginbean...
lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at AU $24.99/month. Cancel anytime