Reputation: 1159
Are server side checks necessary using JSF?
In a JSF page a select is populated based on logged in user privileges. The aziende4ReportList contains only data related to the logged in user
<h:selectOneMenu id="comboAziende" value="#{provaController.azienda}" required="true" >
<f:selectItems value="#{provaController.aziende4ReportList}" />
</h:selectOneMenu>
I thought the data sent to the server with the post could be tampered so I did a check sending a value outside the list and I got a validation error. Can I be sure JSF checks the incoming data accepting only values that can be inserted in the form it produced previously ?
Upvotes: 1
Views: 85
Answers (1)
Reputation: 1108702
Can I be sure JSF checks the incoming data accepting only values that can be inserted in the form it produced previously ?
That's correct. Tampering the request with an unlisted dropdown list value would only result in "Validation Error: Value is not valid". It's not only that, JSF also re-checks all disabled and rendered attributes during postback. So even if one used JavaScript to manipulate the disabled attribute, or used browser's builtin HTML DOM editor to manipulate the HTML elements, it would still not pass as it's not valid according the JSF view state.
Your question title is by the way confusing, so I'll ignore that part for now. To the point, server side checks are absolutely necessary, no excuses, this is regardless of the server side language/framework used. However, JSF does already a lot of them, including XSS and CSRF.
Upvotes: 2
Related Questions
- Is JSF validation client-side or server-side?
- Is Bean Validation in frontend framework JSF considered server side validation?
- How to use j_security_check jsf
- How do I do security in JSF?
- Basic Security in JSF
- j_security_check called directly
- Securing JSF applications
- user authentication jsf
- JSF Validation Server Side vs Custom Validators
- JSF Validation Best Practices