ICEfaces
  1. ICEfaces
  2. ICE-11435

Constrain partial requests to HTTP POST only

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: EE-3.3.0.GA_P05, 4.3
    • Fix Version/s: EE-3.3.0.GA_P06, EE-4.3.0.GA
    • Component/s: Framework
    • Labels:
      None
    • Environment:
      ICEfaces

      Description

      Constrain partial requests to HTTP POST only to improve the security of the framework.
      JSF does not enforce in any way the type of HTTP request used, but it makes sense to only have HTTP POST for partial requests since they are the ones that change the state of the view, session, component and app.

        Activity

        Hide
        Mircea Toma added a comment - - edited

        Implemented validation of requests for JSF post-backs and ICEpush requests. The validation feature can be enabled with the org.icefaces.httpPostValidationEnabled context parameter in the web.xml file. By default the parameter is set to false.

        An invalid JSF post-back will still get a HTTP 200 response, but with a partial update error message that contains the error type and the reason. An invalid ICEpush request will get a HTTP 500 response, with a response body that contains the error and the reason.

        Show
        Mircea Toma added a comment - - edited Implemented validation of requests for JSF post-backs and ICEpush requests. The validation feature can be enabled with the org.icefaces.httpPostValidationEnabled context parameter in the web.xml file. By default the parameter is set to false . An invalid JSF post-back will still get a HTTP 200 response, but with a partial update error message that contains the error type and the reason. An invalid ICEpush request will get a HTTP 500 response, with a response body that contains the error and the reason.

          People

          • Assignee:
            Mircea Toma
            Reporter:
            Mircea Toma
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: