FAQ: Is FacesServlet vulnerable to CSRF attacks?
Is FacesServlet vulnerable to CSRF attacks?
Yes, FacesServlet is vulnerable to Cross Site Reference Forgery (CSRF) attacks.
ArcGIS Server Java Edition's WebADF makes explicit use of the javax.faces.webapp.FacesServlet. CSRF is a known security issue with the FacesServlet in the JSF development world. Below are two external URLs to sites that explain CSRF and possible workarounds: