JSF f:event是否可以安全传递参数? [英] JSF f:event safe to pass parameters?

问题描述

我是JSF的新手，所以我对某些标签的了解不是很好. 而且我想知道在这种情况下传递参数的安全性:

I'm new in JSF so my knowledge about some tags it is not so good. And I'd like to know how safe is to pass a parameter in this case:

<f:event listener="#{backBean.myMethod(**param**)}" type="preRenderView"/> 

因为，当我要传递此参数"时，用户无法访问此信息(更改此值表示安全漏洞，并且不会发生).所以我要问这个问题，以了解是否可以使用此事件来破坏此代码(传递另一个参数)?

Because, as I'm going to pass this "param", the users can't acess this information (changing this value mean a security flaw, and this can not happen). So I'm asking this to know if using this event is it possible to break this code (passing another param)?

谢谢！

推荐答案

如果最终用户无法控制param值，那么您很安全.就那么简单.您直接或间接(通过JSF或从DB！)从HttpServletRequest中提取的任何内容都受到最终用户的完全控制.

If the param value cannot be controlled by the enduser, then you're safe. Simple as that. Anything which you directly or indirectly (through JSF or from the DB!) extract from the HttpServletRequest falls under full control of the enduser.

因此，例如，如果您对其进行硬编码，

So if you for example hardcode it,

<f:event listener="#{backBean.myMethod('foo')}" type="preRenderView"/> 

那么您就安全了.

但是，如果您传递了用户控制的请求参数，

But if you pass an user-controlled request parameter,

<f:event listener="#{backBean.myMethod(param.foo)}" type="preRenderView"/> 

那么只有在服务器端验证其值时，您才是安全的.

then you're only safe if you validate its value in the server side.

这篇关于JSF f:event是否可以安全传递参数?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！