[英]JSF Security: bean method accessibilty
I have a basic question about JSF ManagedBeans for which I can't find a answer.我有一个关于 JSF ManagedBeans 的基本问题,我找不到答案。
Suppose I have a bean MyBean
with two methods method1
and method2
and a JSF page with a command link假设我有一个带有两个方法
method1
和method2
的 bean MyBean
和一个带有命令链接的 JSF 页面
<h:commandLink action="#{myBean.method1}">
</h:commandLink>
Is it possible for someone to analyse the source code of the page and call method2
instead of method1
?有人可以分析页面的源代码并调用
method2
而不是method1
吗?
No, this is not possible by design.不,这在设计上是不可能的。
Technically the client can only tell the server "The user clicked a html element with a certain id".从技术上讲,客户端只能告诉服务器“用户单击了具有特定 id 的 html 元素”。 This event is then processed by JSF on the server-side, the component with the corresponding id is looked up and in this case the method "#{myBean.method1}" is executed.
这个事件然后由服务器端的 JSF 处理,查找具有相应 id 的组件,在这种情况下,方法“#{myBean.method1}”被执行。 As you can see, the client can not[!] tell the server what to do with this event.
如您所见,客户端无法[!] 告诉服务器如何处理此事件。
JSF 2.2 Spec - 3.4 Event and Listener Model JSF 2.2 规范 - 3.4 事件和侦听器模型
Yes, it is always possible to modify code (or markup-language) on the client-side.是的,始终可以在客户端修改代码(或标记语言)。 Your "action" will be called through some forms and/or Javascript-Methods - everything visible to experienced users.
您的“操作”将通过某些形式和/或 Javascript 方法调用 - 有经验的用户可以看到所有内容。
But that's not an issue of JSF-2 only - this applies for every language which allows insights from the client side.但这不仅仅是 JSF-2 的问题——这适用于允许来自客户端的洞察力的每种语言。
You shouldn't apply "security through obscurity" ( https://en.wikipedia.org/wiki/Security_through_obscurity ) but rather make sure, that you can handle this on the server-side.您不应该应用“通过默默无闻的安全性”( https://en.wikipedia.org/wiki/Security_through_obscurity ),而是要确保您可以在服务器端处理这个问题。
If a user, who has access to two urls modifies url1
to url2
- that's fine, why not?如果有权访问两个 url 的用户将
url1
修改为url2
- 那很好,为什么不呢? (Could be bookmarked) - But YOU should take care of the modified request, if he is not allowed to access url2
. (可以添加书签)-但是如果不允许他访问
url2
,您应该处理修改后的请求。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.