Hi, Regarding your concerns about the viewstate at client;
http://wiki.apache.org/myfaces/Secure_Your_Application Cagatay On 5/14/07, Rudi Steiner <[EMAIL PROTECTED]> wrote:
Hello, I'm in the final state of a project and thinking about, which is the best way to make a myFaces-App secure (authentication, authorization, ...) I'm thinking about the Tomcat build in mechanism or an alternative like securityFilter. But thinking about it, I got some questions like, how about to fake the view state on the client side. Could It be, that for example a normal user who knows the applicationcode, fakes the viewstate on the client for a page which has for example some commandbuttons which are rendered for an admin but are not rendered for a normal user? Has anyone made experiences in this area? thanks a lot, Rudi
