CSRF protection for a JSF based web app and Tomcat6 backend without using any external packages. Kindly help.
JSF has already builtin protection against CSRF by the javax.faces.ViewState hidden field which is to be linked with the state of the component tree in the server side. If this hidden field is missing or contains a wrong value, then JSF simply won't process the POST request. On JSF 1.x the key is only a bit too easy to guess, see also JSF impl issue 812 and JSF spec issue 869. This is fixed in JSF 2.1.
Your major concern should be XSS. A succesful XSS attack can form a source for a guaranteed-to-be-succesful CSRF attack. To avoid XSS, ensure that you don't redisplay user-controlled input with <h:outputText escape="false" />. Other than that, JSF will already by default escape HTML entities.
来源:https://stackoverflow.com/questions/5785616/csrf-validation-using-tomcat-6-without-using-external-packages