[SOLVED] JSF Security: bean method accessibilty

JSF Security: bean method accessibilty

I have a basic question about JSF ManagedBeans for which I can't find a answer.

Suppose I have a bean MyBean with two methods method1 and method2 and a JSF page with a command link

<h:commandLink action="#{myBean.method1}">
</h:commandLink>

Is it possible for someone to analyse the source code of the page and call method2 instead of method1?

Solution

Answer

No, this is not possible by design.

Reasoning

Technically the client can only tell the server "The user clicked a html element with a certain id". This event is then processed by JSF on the server-side, the component with the corresponding id is looked up and in this case the method "#{myBean.method1}" is executed. As you can see, the client can not[!] tell the server what to do with this event.

Sources

JSF 2.2 Spec - 3.4 Event and Listener Model

^{Caveat

JSF is stateful and there are multiple ways to hold this state. The default is to hold state information server-side (e.g. in the users HttpSession).

Another option is to transfer (encrypted) state to and from the client. This is still conceptionally secure, but there *might* be bugs with client side state saving. Such a bug *could* be exploitable to do something like you described.}