English

FAQ: Is FacesServlet vulnerable to CSRF attacks?

Question

Is FacesServlet vulnerable to CSRF attacks?

Answer

Yes, FacesServlet is vulnerable to Cross Site Reference Forgery (CSRF) attacks.

ArcGIS Server Java Edition's WebADF makes explicit use of the javax.faces.webapp.FacesServlet. CSRF is a known security issue with the FacesServlet in the JSF development world. Below are two external URLs to sites that explain CSRF and possible workarounds:

Nabble
SeamFramework

Related Information