tags:

views:

141

answers:

1
+2  Q: 

In JSF, What is the best way to prevent Form tampering?

We are using JSF 1.x with server-side state saving turned on. We have an issue where a malicious user, implemented as a web-bot, can submit a page w/o submitting all fields that are expected to be in the form. This results in some validators not being called that should be called, etc.

We would like to prevent users from being able to add/remove fields from a form and submitting the form (if they want to submit a form all expected fields most be there). In the past I have done this using an MD5 hash of the field ids on the page plus an unknown phrase saved as a hidden field on the page and a session filter that generates an expected hash given the field ids that were submitted and compares it against the value in the hidden field.

Is there anything I can do out of the box with JSF to prevent the user from manipulating a form? Or with a third-party library?

+3  A: 

This should already not be possible if those fields were set explicitly with required="true". If you omit this and/or replace by a customized validator or do the validation inside bean action method instead, then bots will indeed be able to tamper the form.

So to fix this, add explicitly required="true" to the required fields with a hard server-side value (and thus not e.g. required="#{not empty param.foo}" or so where the client/bot can control the param.foo). As the view state is stored at the server side, there's no way for a webbot to reveal/modify the state.

At least, that's the theory. Or it must be a very smart webbot or maybe a (old?) bug/exploit in the JSF impl/version used in your webapp. The latest JSF 1.x can be download here.

BalusC  2010-02-01 16:36:32
Crud-- I just found out from the developer that he's using client-side state saving. He's changing it to server side to see if that fixes it. Like you said, one would hope that it would.
BestPractices  2010-02-01 16:53:39
Personally I find it already very smart if the bot already can decode the view state, modify it and encode back. That's a lot of developer effort as well. The website in question must be undoubtely worth it :)
BalusC  2010-02-01 16:55:11
switching to session state saving where the form has at least one required field did the trick. thanks!
BestPractices  2010-02-02 18:31:22
You're welcome.
BalusC  2010-02-02 18:33:46

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java