We are using JSF 1.x with server state preservation enabled. We have a problem where an attacker implemented as a web bot can send a page without sending all the fields that are expected to be in the form. This causes some validators not to be called, which should be called, etc.
We would like users to not be able to add / remove fields from the form and submit the form (if they want to submit the form, all the most expected fields will be there). I used to do this using the MD5 hash of the field IDs on the page plus an unknown phrase stored as a hidden field on the page, and a session filter that generates the expected hash based on the field IDs that were sent and compares them with the value in the hidden field.
Is there anything I can do out of the box with JSF so that the user cannot manipulate the form? Or with a third-party library?
JSF 1.x , required="true". / bean, .
required="true"
, , required="true" (, , , , required="#{not empty param.foo}" , / param.foo). , - / .
required="#{not empty param.foo}"
param.foo
, . webbot , , (?) / JSF impl/version, webapp. JSF 1.x .
: JSF 2.x, Validator, - JSF? , JSF 2.x, ( ) , bean DB.
Source: https://habr.com/ru/post/1730889/More articles:PHP, Запретить удаление ведущих нулей - mathРасчет часов, потраченных с использованием COCOMO 2 - project-managementWhy does the SqlException thrown by SqlCommand.ExecuteNonQuery contain all the PRINT as errors? - sqlUnix Software Console Against Something Else - c ++How to update browser field - javascriptSymfony Propel Pager - what is the right way to send a custom MySQL query? - mysqlFlash webcam settings on macbook (and possibly other cameras) - flashReading MSI file using Java - javaCode exchange between Android applications - androidHow to reliably get location on iPhone - iphoneAll Articles