Hello, I'm in the final state of a project and thinking about, which is the best way to make a myFaces-App secure (authentication, authorization, ...)
I'm thinking about the Tomcat build in mechanism or an alternative like securityFilter. But thinking about it, I got some questions like, how about to fake the view state on the client side. Could It be, that for example a normal user who knows the applicationcode, fakes the viewstate on the client for a page which has for example some commandbuttons which are rendered for an admin but are not rendered for a normal user? Has anyone made experiences in this area? thanks a lot, Rudi
