JSF Security: bean method accessibilty

Question

I have a basic question about JSF ManagedBeans for which I can't find a answer.

Suppose I have a bean MyBean with two methods method1 and method2 and a JSF page with a command link

<h:commandLink action="#{myBean.method1}">
</h:commandLink>

Is it possible for someone to analyse the source code of the page and call method2 instead of method1?

Answer 1

Answer

No, this is not possible by design.

Reasoning

Technically the client can only tell the server "The user clicked a html element with a certain id". This event is then processed by JSF on the server-side, the component with the corresponding id is looked up and in this case the method "#{myBean.method1}" is executed. As you can see, the client can not[!] tell the server what to do with this event.

Sources

JSF 2.2 Spec - 3.4 Event and Listener Model

^{Caveat
JSF is stateful and there are multiple ways to hold this state. The default is to hold state information server-side (e.g. in the users HttpSession).
Another option is to transfer (encrypted) state to and from the client. This is still conceptionally secure, but there *might* be bugs with client side state saving. Such a bug *could* be exploitable to do something like you described.}

Answer 2

Yes, it is always possible to modify code (or markup-language) on the client-side. Your "action" will be called through some forms and/or Javascript-Methods - everything visible to experienced users.

But that's not an issue of JSF-2 only - this applies for every language which allows insights from the client side.

You shouldn't apply "security through obscurity" (https://en.wikipedia.org/wiki/Security_through_obscurity) but rather make sure, that you can handle this on the server-side.

If a user, who has access to two urls modifies url1 to url2 - that's fine, why not? (Could be bookmarked) - But YOU should take care of the modified request, if he is not allowed to access url2.