Get the Whitepaper called Dissecting Java Server Faces for Penetration Testing. This paper is divided into two parts. In the first part, they discuss the internals of JSF, a Java based web application framework and its inherent security model. In the second part, they discuss about the security weaknesses and applied security features in the JSF. In addition, they also raise a flag on the security issues present in JSF in order to conduct effective penetration testing.
You can download it from the following link: https://packetstormsecurity.com/files/download/104474/dissecting_jsf_pt_aks_kr.pdf
Source: https://packetstormsecurity.com/files/104474/Dissecting-Java-Server-Faces-For-Penetration-Testing.html