If a component has rendered set to false, can it still perform an action? In other words, if I have a button which does something which I don't render for unauthenticated users, is there any way they will be able to save the html to disk, and modify the various form elements to perform that unauthorized action?
If you are depending on not rendering elements as security to prevent users from executing unauthorized requests, your application is not very secure. A sufficiently knowledgeable person can craft any request. You should always re-run your security checks again on the server side upon receiving the request.
@RaymondDeCamo
I understand that this is true for most languages eg. PHP, however I was wondering if the server would still execute the action if the button that was bound to it had its rendered attribute set to false. It seems like the JSF people would put in that kind of functionality. In other words, are you sure JSF doesn't run the server-side checks itself?
@BalusC
I know the person won't be able to click on the button, but could they add in their own custom HTML into the form to perform the action?
> I know the person won't be able to click on the
> button, but could they add in their own custom HTML
> into the form to perform the action?
No. Unless you're using clientside languages for security checks. Or if the condition which was used for the rendered attribute can be changed from the client side (e.g. another login user name + password). But that's forseenable.
> @RaymondDeCamo
> I understand that this is true for most languages eg.
> PHP, however I was wondering if the server would
> still execute the action if the button that was bound
> to it had its rendered attribute set to false. It
> seems like the JSF people would put in that kind of
> functionality. In other words, are you sure JSF
> doesn't run the server-side checks itself?
I suppose that is possible.
