Andrew Robinson wrote: > Depends on if you are using client side or server side state. > Technically with client side state the user can invoke any action. > With server side state there is no way. If you are really concerned, > at security checks to your action methods or use JBoss-Seam with EJB3 > managed security. >
I'm using server-side state. > > On 5/5/06, Cagatay Civici <[EMAIL PROTECTED]> wrote: >> Hi, >> >> At first glance I dont think it is possible since JSF uses http post. >> So a hacker would have to use a tool besides a browser to construct the http post request. But they could. >> >> On 5/5/06, Dave Brondsema < [EMAIL PROTECTED]> wrote: >> > >> > Is it secure to limit access to a backing bean action simply by using >> > the 'rendered' attribute to control when it is displayed? Or is it >> > possible for a malicious user to construct a URL that still invokes the >> > backing bean method, even when the commandButton for it is not rendered >> > for that user? >> > >> > Thanks, >> > >> > -- >> > Dave Brondsema >> > Software Developer >> > Cornerstone University >> > >> > >> > >> > >> >> > -- Dave Brondsema Software Developer Cornerstone University
signature.asc
Description: OpenPGP digital signature
