Board index JavaServer Faces General Security issue - EL injection via DynamicContentStreamer

Security issue - EL injection via DynamicContentStreamer

Components, Ajax Framework, Utilities and More.

Posts: 11

there is an unfortunate severe security hole in the Primefaces implementation. Specifically the dynamic content feature implemented via DynamicContentStreamer phase listener allows for custom EL injection. You don't have to use dynamic content feature and still your application allows this attack.

Let me show you an example of the attack:

Assume Spring integrated application. By going to the folowing URL I am able to get the root application context:


More, assume single DAO bean called fooDao with method deleteById(int id). I can call this method as well:


Usually all security checks are done on service/business layer. By calling DAO directly I am able to bypass application security.

So this is only for application integrated with Spring? No. The modus operandi of DynamicContentStreamer is wrong at its core. Allowing for EL injection is bad in every possible scenario. This can not be fixed without completely changing Primefaces dynamic content handling.

Unfortunately we realized this at the late project stage. So what to do before the Primefaces guys will fix this? Well, we came up with a simple workaround - we will implement custom servlet filter. This filter will check for primefacesDynamicContent request parameter. If it is present, it will just check its value against pre-defined set of regular expressions. By doing this, we will control what expressions are being used.

I think this one should be reported as a bug. What do you think?

Thanks for any reply,
Pavel Horal

Posts: 11
One week and no reply. I will create the bug then.

Posts: 17233
Location: Cybertron

It is not a bug but an enhancement.

Regarding one week and no reply, this is community forum so there is no guarantee to get a response unlike in Enterprise Forum.

Posts: 11
Thank you for your reply.

I don't agree with you. It is a very severe security hole. It allows running injected Java server code. You might say that you can run EL only, but the newest EL with function calls opens whole new area of possibilities. Also it can be combined with XSRF which makes it even more severe.

I chose the topic name EL Injection on purpose. It is very similar to other attacks like SQL injection. Imagine using framework which handles user requests and directly communicates with database. If such framework allows for SQL injection, will you classify it as a severe security bug or as an enhancement?

Also the modus operandi allows for injecting EL at any page (as long as the request is handled by FacesServlet). That means even if I have a perfectly secured application I can still do the injection at my login page.

At the end all projects using PrimeFaces are affected (even the PrimeFaces showcase), even the commercial ones which post to the Enterprise Forum.

Oleg User avatar
Expert Member

Posts: 3785
Location: Germany, Black Forest
Hi pavel.horal,

Do you mean, PrimeFaces is not recommended in bank and other business projects using DynamicContentStreamer? Have you ever tried other component libraries (any kinds of EL injection there)?

Posts: 11
Do you mean, PrimeFaces is not recommended in bank and other business projects using PrimeFaces?

The problem I am describing do exist in PrimeFaces. As far as you are aware of it I think it is ok, because you can take countermeasures (like special servlet filter checking the expression being injected).
Also problem is that the DynamicContentStreamer is phase listener which is always enabled and can not be turned off. So there is a potential danger for developers who are not aware of this.

This issue should not prevent any enterprise deployment. PrimeFaces still is probably the best component library around ;).

Have you ever tried other component libraries (any kinds of EL injection there)?

I have to admit I don't have any deep experience with other libraries. To me the modus operandi of DynamicContentStreamer (accepting EL as a request parameter) feels not correct. I don't think other libraries are using this (maybe Optimus will correct me).

Posts: 11
I've found a critical exploit of this feature. I will write private message to Optimus with it.

The following code could be used to prevent the injection until this issue is resolved:

 * Servlet filter for protecting Primefaces' security hole in DynamicContentStreamer.
 * See .
 * @author pavel.horal(at)
public class ProtectingDynamicContentFilter implements Filter {

    private static final String DYNAMIC_CONTENT_PARAM = "primefacesDynamicContent";

    // XXX Hardcoded configuration for now
    private static final String[] ALLOWED_EXPRESSIONS = new String[] {

    public void init(FilterConfig filterConfig) throws ServletException {
        // Nothing to initialize

    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        String expression = request.getParameter(DYNAMIC_CONTENT_PARAM);
        if (expression != null) {
        chain.doFilter(request, response);

     * Check dynamic content expression.
     * @param expression Expression to be checked. Never null.
    private void checkContentExpression(String expression) {
        for (String allowedExpression : ALLOWED_EXPRESSIONS) {
            if (allowedExpression.equals(expression)) {
                return; // OK
        throw new IllegalArgumentException("Invalid content expression '" +
                expression + "'.");

    public void destroy() {
        // Nothing to destroy

Last edited by pavel.horal on 24 May 2011, 10:08, edited 1 time in total.

Posts: 11
I was unable to find any contact to Optimus. Please contact me at my e-mail pavel.horal(at) and I will send you more information.
Last edited by pavel.horal on 24 May 2011, 10:07, edited 1 time in total.

Posts: 226
Location: Salzburg/Austria
Hm.. I can't really reproduce this. I'm using Spring 3.0.5 with Tomcat 7, Mojarra 2.1.1 and PrimeFaces 3.0.M1.

When I'm trying the url "http://localhost:8080/app/faces/main.xhtml?primefacesDynamicContent=applicationScope.get(param.attr)&attr=org.springframework.web.context.WebApplicationContext.ROOT" I get an Exception:
javax.servlet.ServletException: java.lang.NoSuchMethodException: com.sun.faces.context.ApplicationMap.get(java.lang.String)

Posts: 11
The exception you are getting is probably connected to the issue in EL implementation of some early versions of Tomcat 7. Just update to the latest stable Tomcat and it should work.
My configuration is - Tomcat 7.0.14, PrimeFaces 2.2.1, MyFaces 2.0.5, Spring 2.5.6 .

Btw. in my example I was calling get method on a map which is unnecessary. You can also modify your URL in this way:

Last edited by pavel.horal on 23 May 2011, 23:50, edited 2 times in total.


Return to General