0

I figured out, that my bean validation does not work for model properties which are not tied to view.

Model:

@NotNull
private String name;

public String submit() {
    ...
}

View:

<h:form>
  <h:inputText type="*" value="#{myBean.name}" />
  <h:commandButton type="submit" value="name" action="#{myBean.submit}" />
</h:form>

So if someone tries to call the function without the parameter "name" the bean is not validating the attribute und calls the method "submit".

<h:form>
  <h:commandButton type="submit" value="Name" action="#{myBean.submit}" />
</h:form>

So the question is how can I protect my bean, that the code in submit is not executed if someone tamper the XHMTML and does not transfer "name".

Maybe someone can help me :)

Dennis
  • 1
  • 1
  • How should it know it needs to be validated if the input is not there? And your second example is a design issue, not an end-user issue. Or do you mean someone tries to tamper with the request? – Kukeltje Nov 20 '15 at 10:43
  • Yes I mean if someone tries to tamper the request. – Dennis Nov 20 '15 at 10:44
  • 1
    Your question boils down to this: http://stackoverflow.com/q/27781202 Is this acceptable as dupe? That said, if you're using JPA as persistence framework, it will also recheck it during persist. So the tamper will ultimately still fail. – BalusC Nov 20 '15 at 10:49
  • Thanks for your helps. Well, for me I would except that JSF has a functionality that I can annotate attributes and even if there are not transfered by a request there are validated in case of manipulation. So I think I have to validate them in the method again, which means that the annotations are not really useful. otherwise there is maybe another framework which can do this. I'm new in JSF but this looks for me not really helpful if you want to develop safety relevant functionalities :( That means also that @NotNull doesn't work for validation in this case. – Dennis Nov 20 '15 at 11:58
  • Your underlying question then boils down to this: http://stackoverflow.com/q/17773979 It's not the responsibility of JSF to validate non-view-tied constraints and would break a lot of things. If you want to validate model-tied constraints, use JPA and/or SQL. – BalusC Nov 20 '15 at 12:14

0 Answers0