JSF 安全性:bean 方法可访问性
[英]JSF Security: bean method accessibilty
问题描述
I have a basic question about JSF ManagedBeans for which I can't find a answer.
我有一个关于 JSF ManagedBeans 的基本问题,我找不到答案。
Suppose I have a bean MyBean with two methods method1 and method2 and a JSF page with a command link假设我有一个带有两个方法method1和method2的 bean MyBean和一个带有命令链接的 JSF 页面
<h:commandLink action="#{myBean.method1}">
</h:commandLink>
Is it possible for someone to analyse the source code of the page and call method2 instead of method1 ?有人可以分析页面的源代码并调用method2而不是method1吗?
2 个解决方案
解决方案1
3 已采纳 2018-06-13 10:45:19
Answer回答
No, this is not possible by design.不,这在设计上是不可能的。
Reasoning推理
Technically the client can only tell the server "The user clicked a html element with a certain id".从技术上讲,客户端只能告诉服务器“用户单击了具有特定 id 的 html 元素”。 This event is then processed by JSF on the server-side, the component with the corresponding id is looked up and in this case the method "#{myBean.method1}" is executed.这个事件然后由服务器端的 JSF 处理,查找具有相应 id 的组件,在这种情况下,方法“#{myBean.method1}”被执行。 As you can see, the client can not[!] tell the server what to do with this event.如您所见,客户端无法[!] 告诉服务器如何处理此事件。
Sources来源
JSF 2.2 Spec - 3.4 Event and Listener Model JSF 2.2 规范 - 3.4 事件和侦听器模型
Caveat
警告
JSF is stateful and there are multiple ways to hold this state.
JSF 是有状态的,有多种方法可以保持这种状态。
The default is to hold state information server-side (eg in the users HttpSession).
默认是在服务器端保存状态信息(例如在用户 HttpSession 中)。
Another option is to transfer (encrypted) state to and from the client.
另一种选择是在客户端之间传输(加密)状态。
This is still conceptionally secure, but there *might* be bugs with client side state saving.
这在概念上仍然是安全的,但 * 可能 * 存在客户端状态保存的错误。
Such a bug *could* be exploitable to do something like you described.
这样的错误 * 可以* 被利用来做你描述的事情。
解决方案2
-2 2018-02-26 20:15:54
Yes, it is always possible to modify code (or markup-language) on the client-side.是的,始终可以在客户端修改代码(或标记语言)。 Your "action" will be called through some forms and/or Javascript-Methods - everything visible to experienced users.您的“操作”将通过某些形式和/或 Javascript 方法调用 - 有经验的用户可以看到所有内容。
But that's not an issue of JSF-2 only - this applies for every language which allows insights from the client side.但这不仅仅是 JSF-2 的问题——这适用于允许来自客户端的洞察力的每种语言。
You shouldn't apply "security through obscurity" ( https://en.wikipedia.org/wiki/Security_through_obscurity ) but rather make sure, that you can handle this on the server-side.您不应该应用“通过默默无闻的安全性”( https://en.wikipedia.org/wiki/Security_through_obscurity ),而是要确保您可以在服务器端处理这个问题。
If a user, who has access to two urls modifies url1 to url2 - that's fine, why not?如果有权访问两个 url 的用户将url1修改为url2 - 那很好,为什么不呢? (Could be bookmarked) - But YOU should take care of the modified request, if he is not allowed to access url2 . (可以添加书签)-但是如果不允许他访问url2 ,您应该处理修改后的请求。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.