On 5/5/06, Dave Brondsema <[EMAIL PROTECTED]> wrote:
Well behaved components will skip decode/validation/update processing on components where rendered=false, so even an attempt to maliciously set values for disabled components *should* get ignored.
Craig
Andrew Robinson wrote:
> Depends on if you are using client side or server side state.
> Technically with client side state the user can invoke any action.
> With server side state there is no way. If you are really concerned,
> at security checks to your action methods or use JBoss-Seam with EJB3
> managed security.
>
I'm using server-side state.
>
> On 5/5/06, Cagatay Civici < [EMAIL PROTECTED]> wrote:
>> Hi,
>>
>> At first glance I dont think it is possible since JSF uses http post.
>>
So a hacker would have to use a tool besides a browser to construct the
http post request. But they could.
Well behaved components will skip decode/validation/update processing on components where rendered=false, so even an attempt to maliciously set values for disabled components *should* get ignored.
Craig
>>
>> On 5/5/06, Dave Brondsema < [EMAIL PROTECTED]> wrote:
>> >
>> > Is it secure to limit access to a backing bean action simply by using
>> > the 'rendered' attribute to control when it is displayed? Or is it
>> > possible for a malicious user to construct a URL that still invokes the
>> > backing bean method, even when the commandButton for it is not rendered
>> > for that user?
>> >
>> > Thanks,
>> >
>> > --
>> > Dave Brondsema
>> > Software Developer
>> > Cornerstone University
>> >
>> >
>> >
>> >
>>
>>
>
--
Dave Brondsema
Software Developer
Cornerstone University
