Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: EE-3.3.0.GA_P05, 4.3
-
Fix Version/s: EE-3.3.0.GA_P06, EE-4.3.0.GA
-
Component/s: Framework
-
Labels:None
-
Environment:ICEfaces
-
Support Case References:
-
Affects:Documentation (User Guide, Ref. Guide, etc.), Compatibility/Configuration
Description
Constrain partial requests to HTTP POST only to improve the security of the framework.
JSF does not enforce in any way the type of HTTP request used, but it makes sense to only have HTTP POST for partial requests since they are the ones that change the state of the view, session, component and app.
JSF does not enforce in any way the type of HTTP request used, but it makes sense to only have HTTP POST for partial requests since they are the ones that change the state of the view, session, component and app.
Activity
| Field | Original Value | New Value |
|---|---|---|
| Assignee | Mircea Toma [ mircea.toma ] |
| Fix Version/s | EE-3.3.0.GA_P06 [ 13114 ] | |
| Fix Version/s | EE-4.3.0.GA [ 13103 ] |
| Affects | Documentation (User Guide, Ref. Guide, etc.),Compatibility/Configuration [ 10003, 10002 ] |
| Status | Open [ 1 ] | Resolved [ 5 ] |
| Resolution | Fixed [ 1 ] |
| Status | Resolved [ 5 ] | Closed [ 6 ] |
Implemented validation of requests for JSF post-backs and ICEpush requests. The validation feature can be enabled with the org.icefaces.httpPostValidationEnabled context parameter in the web.xml file. By default the parameter is set to false.
An invalid JSF post-back will still get a HTTP 200 response, but with a partial update error message that contains the error type and the reason. An invalid ICEpush request will get a HTTP 500 response, with a response body that contains the error and the reason.