JSF 2.0 Form tampering by removing required input

Asked Mar 16 '16 at 05:18

Active Mar 16 '16 at 05:18

Viewed 34 times

I have a simple form in JSF like this

<h:form>
<p:inputText id="name1" value="#{bean.name1}" maxlength="100" required="true"/>
<p:inputText id="contact1" value="#{bean.contact1}" required="true"/>
<p:commandButton 
    value="Save" 
    action="#{bean.saveForm()}" 
    validateClient="true" />
</h:form>

I tried deleting one of the input text in element inspector (F12 Chrome) and it actually bypass the 'required' validation for that field.

in my web.xml, I have included below code as suggested in In JSF, What is the best way to prevent Form tampering?

<context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>server</param-value>
</context-param>

I read that JSF has automatically stored the viewState in server with above method, but turns out, I can still bypass it. Am I missing something?

Any helps would be appreciated. Thanks!

edited May 23 '17 at 11:45

Community

asked Mar 16 '16 at 05:18

Joshua H

As commented on your comment in the linked question, this is answered in http://stackoverflow.com/q/17773979 Is this helpful? – BalusC Mar 16 '16 at 08:28
Yes certainly. Thanks @BalusC and it's too bad that JSF only solve this using class level validation. I'm hoping more like cakePHP form tampering protection (which hash the number of input field + hidden field). But again, thank you so much – Joshua H Mar 16 '16 at 08:41

JSF 2.0 Form tampering by removing required input

0 Answers0