在JSF中,防止表单篡改的最佳方法是什么? [英] In JSF, What is the best way to prevent Form tampering?
问题描述
我们在启用服务器端状态保存的情况下使用JSF1.x.我们有一个问题,一个实施为Web bot的恶意用户可以提交一个页面,而没有提交期望采用表格形式的所有字段.这导致某些验证器没有被调用,应该被调用,等等.
We are using JSF 1.x with server-side state saving turned on. We have an issue where a malicious user, implemented as a web-bot, can submit a page w/o submitting all fields that are expected to be in the form. This results in some validators not being called that should be called, etc.
我们希望阻止用户添加/删除表单中的字段并提交表单(如果他们想提交表单,则所有期望的字段都将存在).过去,我使用页面上字段ID的MD5哈希值以及另存为页面上隐藏字段的未知短语和会话过滤器来完成此操作,该会话过滤器根据已提交的字段ID生成预期的哈希值,并将其与隐藏字段中的值.
We would like to prevent users from being able to add/remove fields from a form and submitting the form (if they want to submit a form all expected fields most be there). In the past I have done this using an MD5 hash of the field ids on the page plus an unknown phrase saved as a hidden field on the page and a session filter that generates an expected hash given the field ids that were submitted and compares it against the value in the hidden field.
是否可以使用JSF开箱即用以防止用户操纵表单?还是带有第三方库?
Is there anything I can do out of the box with JSF to prevent the user from manipulating a form? Or with a third-party library?
推荐答案
如果使用required="true"显式设置了这些字段,那么在JSF 1.x中应该已经不可能.如果您省略此操作和/或用自定义的验证程序代替,或者改为在bean动作方法内进行验证,那么漫游器确实可以篡改表单.
In JSF 1.x should already not be possible if those fields were set explicitly with required="true". If you omit this and/or replace by a customized validator or do the validation inside bean action method instead, then bots will indeed be able to tamper the form.
因此,要解决此问题,请在具有硬服务器端值的必需字段中显式添加required="true"(因此不能在客户端/机器人可以控制param.foo的位置使用required="#{not empty param.foo}"等).由于视图状态存储在服务器端,因此网络机器人无法显示/修改状态.
So to fix this, add explicitly required="true" to the required fields with a hard server-side value (and thus not e.g. required="#{not empty param.foo}" or so where the client/bot can control the param.foo). As the view state is stored at the server side, there's no way for a webbot to reveal/modify the state.
至少,这是理论.要么它必须是一个非常聪明的Web机器人,要么可能是Web应用程序中使用的JSF impl/version中的(旧的?)错误/漏洞.可以在此处下载最新的JSF 1.x.
At least, that's the theory. Or it must be a very smart webbot or maybe a (old?) bug/exploit in the JSF impl/version used in your webapp. The latest JSF 1.x can be download here.
Update: for a JSF 2.x targeted answer, head to Validator skipped when input is removed in client – is this as per JSF specification? In a nutshell, it's possible in JSF 2.x, and this can (is supposed to) be guarded by putting bean validation or DB constraints.
这篇关于在JSF中,防止表单篡改的最佳方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
