You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@myfaces.apache.org by Dave Brondsema <da...@brondsema.net> on 2006/05/05 14:49:06 UTC
security with @rendered
Is it secure to limit access to a backing bean action simply by using
the 'rendered' attribute to control when it is displayed? Or is it
possible for a malicious user to construct a URL that still invokes the
backing bean method, even when the commandButton for it is not rendered
for that user?
Thanks,
--
Dave Brondsema
Software Developer
Cornerstone University
Re: security with @rendered
Posted by Craig McClanahan <cr...@apache.org>.
On 5/5/06, Dave Brondsema <da...@brondsema.net> wrote:
>
> Andrew Robinson wrote:
> > Depends on if you are using client side or server side state.
> > Technically with client side state the user can invoke any action.
> > With server side state there is no way. If you are really concerned,
> > at security checks to your action methods or use JBoss-Seam with EJB3
> > managed security.
> >
>
> I'm using server-side state.
>
> >
> > On 5/5/06, Cagatay Civici <ca...@gmail.com> wrote:
> >> Hi,
> >>
> >> At first glance I dont think it is possible since JSF uses http post.
> >>
>
> So a hacker would have to use a tool besides a browser to construct the
> http post request. But they could.
Well behaved components will skip decode/validation/update processing on
components where rendered=false, so even an attempt to maliciously set
values for disabled components *should* get ignored.
Craig
>>
> >> On 5/5/06, Dave Brondsema < dave@brondsema.net> wrote:
> >> >
> >> > Is it secure to limit access to a backing bean action simply by using
> >> > the 'rendered' attribute to control when it is displayed? Or is it
> >> > possible for a malicious user to construct a URL that still invokes
> the
> >> > backing bean method, even when the commandButton for it is not
> rendered
> >> > for that user?
> >> >
> >> > Thanks,
> >> >
> >> > --
> >> > Dave Brondsema
> >> > Software Developer
> >> > Cornerstone University
> >> >
> >> >
> >> >
> >> >
> >>
> >>
> >
>
>
> --
> Dave Brondsema
> Software Developer
> Cornerstone University
>
>
>
>
Re: security with @rendered
Posted by Dave Brondsema <da...@brondsema.net>.
Andrew Robinson wrote:
> Depends on if you are using client side or server side state.
> Technically with client side state the user can invoke any action.
> With server side state there is no way. If you are really concerned,
> at security checks to your action methods or use JBoss-Seam with EJB3
> managed security.
>
I'm using server-side state.
>
> On 5/5/06, Cagatay Civici <ca...@gmail.com> wrote:
>> Hi,
>>
>> At first glance I dont think it is possible since JSF uses http post.
>>
So a hacker would have to use a tool besides a browser to construct the
http post request. But they could.
>>
>> On 5/5/06, Dave Brondsema < dave@brondsema.net> wrote:
>> >
>> > Is it secure to limit access to a backing bean action simply by using
>> > the 'rendered' attribute to control when it is displayed? Or is it
>> > possible for a malicious user to construct a URL that still invokes the
>> > backing bean method, even when the commandButton for it is not rendered
>> > for that user?
>> >
>> > Thanks,
>> >
>> > --
>> > Dave Brondsema
>> > Software Developer
>> > Cornerstone University
>> >
>> >
>> >
>> >
>>
>>
>
--
Dave Brondsema
Software Developer
Cornerstone University
Re: security with @rendered
Posted by Andrew Robinson <an...@gmail.com>.
Depends on if you are using client side or server side state.
Technically with client side state the user can invoke any action.
With server side state there is no way. If you are really concerned,
at security checks to your action methods or use JBoss-Seam with EJB3
managed security.
-Andrew
On 5/5/06, Cagatay Civici <ca...@gmail.com> wrote:
> Hi,
>
> At first glance I dont think it is possible since JSF uses http post.
>
> Cagatay
>
>
> On 5/5/06, Dave Brondsema < dave@brondsema.net> wrote:
> >
> > Is it secure to limit access to a backing bean action simply by using
> > the 'rendered' attribute to control when it is displayed? Or is it
> > possible for a malicious user to construct a URL that still invokes the
> > backing bean method, even when the commandButton for it is not rendered
> > for that user?
> >
> > Thanks,
> >
> > --
> > Dave Brondsema
> > Software Developer
> > Cornerstone University
> >
> >
> >
> >
>
>
Re: security with @rendered
Posted by Cagatay Civici <ca...@gmail.com>.
Hi,
At first glance I dont think it is possible since JSF uses http post.
Cagatay
On 5/5/06, Dave Brondsema <da...@brondsema.net> wrote:
>
>
> Is it secure to limit access to a backing bean action simply by using
> the 'rendered' attribute to control when it is displayed? Or is it
> possible for a malicious user to construct a URL that still invokes the
> backing bean method, even when the commandButton for it is not rendered
> for that user?
>
> Thanks,
>
> --
> Dave Brondsema
> Software Developer
> Cornerstone University
>
>
>
>