We are using JSF 1.x with server-side state saving turned on. We have an issue where a malicious user, implemented as a web-bot, can submit a page w/o submitting all fields that are expected to be in the form. This results in some validators not being called that should be called, etc.
We would like to prevent users from being able to add/remove fields from a form and submitting the form (if they want to submit a form all expected fields most be there). In the past I have done this using an MD5 hash of the field ids on the page plus an unknown phrase saved as a hidden field on the page and a session filter that generates an expected hash given the field ids that were submitted and compares it against the value in the hidden field.
Is there anything I can do out of the box with JSF to prevent the user from manipulating a form? Or with a third-party library?
In JSF 1.x should already not be possible if those fields were set explicitly with
required="true". If you omit this and/or replace by a customized validator or do the validation inside bean action method instead, then bots will indeed be able to tamper the form.So to fix this, add explicitly
required="true"to the required fields with a hard server-side value (and thus not e.g.required="#{not empty param.foo}"or so where the client/bot can control theparam.foo). As the view state is stored at the server side, there’s no way for a webbot to reveal/modify the state.At least, that’s the theory. Or it must be a very smart webbot or maybe a (old?) bug/exploit in the JSF impl/version used in your webapp. The latest JSF 1.x can be download here.
Update: for a JSF 2.x targeted answer, head to Validator skipped when input is removed in client – is this as per JSF specification? In a nutshell, it’s possible in JSF 2.x, and this can (is supposed to) be guarded by putting bean validation or DB constraints.