I found this old and unanswered question and I am now facing the same problem.
I am currently working with JSF (PrimeFaces 5.1 and Mojarra 2.2.8) on a Wildfly 8.2 and I am having the following scenario:
I have a form with multiple fields, including a captcha input field at the end of it.
Here the code of my captcha field:
<p:inputText id='captcha' required='true' validator='#{bean.captchaValidator}'... />
and here the code of the 'submit' button:
<p:commandButton id='submit' action='#{bean.forwardPage}' />
For the 'standard case' (a common user entering and submitting his data through the given form) the validation works perfectly fine, as designed. But now let's assume a user/bot tries to hack the page and intercepts/manipulates the submitted request.
I currently tested it with a proxy named OWASP ZAP. After entering some random data in the form, I intercepted the submit request and I got something like:
...&form%3Alastname=Test&form%3Afirstname=User&form%3Acaptcha=bla&...
I can now easily remove the captcha param from the request and the forward/submit will be executed without executing the captcha validation. As a workaround I am currently executing manually the validation inside the forwardPage method, but I was wondering if anybody knows of a more generic solution for this issue.
