Does JSF1.2 has buit in CSRF protection?

I have tested a JSF application with the CSRFtester tool, and the tool didn't report any CSRF problems. But I had read in the "OWASP_Top_10_2007_for_JEE.pdf", that all Java EE web application frameworks are vulnerable to CSRF and also some says we need to create a secret key for each session and开发者_运维百科 append it to the url. By doing this way we can secure our JSF application from the CSRF attack.This makes me confused. I cannot find any clear documentation. IS JSF is vulnerable to CSRF attack? What was the right way to protect a JSF application from CSRF attacks? Please help me out!!

Thanks in Advance!!

Yes, JSF is vulnerable to CSRF. I implemented CSRF prevention token for my JSF 1.2 application just a few days ago.

Here's what you could use:

Tomcat CSRF Prevention Filter (find the source)

Another wonderful solution, can be easily implemented on JSF 1.2

I used the combination of two. Works well.