Kevin, I can't speak to Tomahawk's dataTable or updateActionListener, but MyFaces' <h:dataTable> uses simple index values (0,1,2...) for each row. By changing the index in the request, a hacker can access a different row, but only from the set of rows that were in the data set bound to the dataTable. I suspect that the Tomahawk tags behave the same way. The safest way for you to check any such JSF behavior is to grab a proxy tool like Paros that will let you inspect (and modify!) the content of each request/response.
Also see http://learnjsf.com/wp/security/ for a link to a recent ApacheCon presentation on securing JSF apps against parameter tampering and other kinds of attacks. As an aside, if you find that you need to put IDs in the URL (to detect stale result sets or allow detail page bookmarks, for example), you could use a JSF converter to hash the ID in the browser in order to protect against parameter tampering as you've described. /dmc On 12/13/06, Kevin Galligan <[EMAIL PROTECTED]> wrote:
I've been wondering something for a little while now. Some of the crud style links in my app use 'h:commandLink', with 't:updateActionListener' to set the particular element id value for that page. In days past I'd put the id on the query string, so like ... /app/DetailPage.do?itemId=1234 Now, obviously, you had to be careful because somebody could change the id value manually. With JSF, using t:updateActionListener, can somebody change the id value sent? If I'm 100% sure they couldn't, I could relax the access checking a little. Most of these links are in t:dataTable's, with preserveDataModel="true". If state is kept on the server, or encrypted on client (I think you can do that, right?), do I have to worry about the user getting access to something they shouldn't? Thanks in advance, -Kevin
-- David Chandler Development Coach learnjsf.com
