myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin Galligan" <>
Subject Spoofing commandLink
Date Wed, 13 Dec 2006 18:22:33 GMT
I've been wondering something for a little while now.  Some of the crud
style links in my app use 'h:commandLink', with 't:updateActionListener' to
set the particular element id value for that page.  In days past I'd put the
id on the query string, so like ...


Now, obviously, you had to be careful because somebody could change the id
value manually.  With JSF, using t:updateActionListener, can somebody change
the id value sent?  If I'm 100% sure they couldn't, I could relax the access
checking a little.

Most of these links are in t:dataTable's, with preserveDataModel="true".  If
state is kept on the server, or encrypted on client (I think you can do
that, right?), do I have to worry about the user getting access to something
they shouldn't?

Thanks in advance,

View raw message