Hi Cagatay, thanks for the hint. This is definitely one step in making an jsf-app secure.
I would like to increase the security of my app by writing a phaselistener, which checks the action the current request is calling and makes sure, that the current user has the right to call this action (example calling the method deleteUser() in a backingbean). Could anyone please tell me, how I can determine in a phaselistener which action is going to be called in the current request? best regards, Rudi On 5/14/07, Cagatay Civici <[EMAIL PROTECTED]> wrote:
Hi, Regarding your concerns about the viewstate at client; http://wiki.apache.org/myfaces/Secure_Your_Application Cagatay On 5/14/07, Rudi Steiner <[EMAIL PROTECTED]> wrote: > Hello, > > I'm in the final state of a project and thinking about, which is the > best way to make a myFaces-App secure (authentication, authorization, > ...) > > I'm thinking about the Tomcat build in mechanism or an alternative > like securityFilter. But thinking about it, I got some questions like, > how about to fake the view state on the client side. > > Could It be, that for example a normal user who knows the > applicationcode, fakes the viewstate on the client for a page which > has for example some commandbuttons which are rendered for an admin > but are not rendered for a normal user? Has anyone made experiences in > this area? > > thanks a lot, > Rudi >
