I am new to JSF and Primefaces and I am trying to implement custom portlets for liferay using Primefaces. To submit simple form data I'm using ajax as follows:
<f:ajax execute="@form" render="@form :message-show" listener="#{dataController.addData}" onevent="updateProgresBar" />
Submit will result into ajax call, which has a parameter in url with view mapping, e.g.
_sampleportlet_WAR_servicexy_INSTANCE_eVh2tM4zSkIj__facesViewIdResource=%2Fview.xhtml
Can you advice whether this view.xhtml mapping is protected against open redirection vulnerabilities as part of JSF/Primefaces spec. or this need to be handled manually? If so, could you advice what is best practice to implement it e.g. some custom filter etc.?
Thanks in advance
It is the developer's responsibility to ensure that the current Liferay user has permission to visit specific JSF views that are contained in the portlet application, execute managed bean methods, etc.
For more details, see How do I do security in JSF?
Note that there were three vulnerabilities in Liferay Faces Bridge that were either directly or indirectly related to your question:
In order to ensure that you are using versions of Liferay Faces dependencies that contain fixes for these issues, visit the liferayfaces.org home page and use the drop-down menus to choose your version of Liferay Portal and JSF. After making a selection, the home page will update with the latest Maven/Gradle dependencies.