用户可以设置JSF支持bean中的哪些属性? [英] Which properties in a JSF backing bean can be set by a user?
问题描述
我有一个支持bean( somebean
),它有三个布尔属性 a
, b
和 c
,每个都有一个getter和setter。
I have a backing bean (somebean
) with three boolean properties a
, b
, and c
, each has a getter and setter.
我有一个表单看起来像这样:
I have a form which looks like this:
<h:outputText rendered="#{somebean.b}">
B is true
</h:outputText>
<h:form id="blah">
<h:inputHidden value="#{somebean.a}" id="a"/>
<h:commandLink id="zzzz" value="do it" action="#{somebean.doIt}"/>
</h:form>
三个属性中的哪一个 a
,<客户可以设置code> b 和 c
?我尝试将 b = true
和 c = true
添加到POST请求中,但是 SomeBean。 setB(boolean)
和 SomeBean.setC(boolean)
永远不会被调用。所以也许只能设置 a
- 逻辑是如果JSF中有一个设置它的字段,则允许客户端设置它。但也许我错了,它只是有一些我不知道的默认名称可以用来设置它...
Which of the three properties a
, b
, and c
can be set by the client? I tried adding b=true
and c=true
to the POST request, but SomeBean.setB(boolean)
and SomeBean.setC(boolean)
never get called. So perhaps only a
can be set - the logic being that if there is a field in the JSF that sets it, the client is allowed to set it. But perhaps I'm wrong and it just has some default name that I don't know about that can be used to set it...
我应该假设我的bean上的任何属性都可以由客户端设置?如果没有,我应该假设客户端可以设置哪些(因此在验证期间必须担心)?
Should I just assume that any property on my bean can be set by the client? If not, which ones should I assume the client can set (and thus have to worry about during validation)?
如果我有条件地呈现我的表单会发生什么?例如:
Also what happens if I have my form conditionally rendered? e.g:
<h:outputText rendered="#{somebean.b}">
<h:form id="blah">
<h:inputHidden value="#{somebean.a}" id="a"/>
<h:commandLink id="zzzz" value="do it" action="#{somebean.doIt}"/>
</h:form>
</h:outputText>
在这种情况下, a
仍然可以设置如果 b
为假?
In this case, can a
still be set if b
is false?
按客户,我的意思是将HTTP流量发送到我的网站。例如,可能是恶意代码。
By "client", I mean anything sending HTTP traffic to my site. Which could be for example, malicious code.
推荐答案
JSF支持中的哪些属性bean可以由用户设置吗?
绑定到 EditableValueHolder
组件,例如< a href =http://docs.oracle.com/javaee/6/api/javax/faces/component/UIInput.html =nofollow noreferrer> UIInput
和朋友(包括< f:viewParam>
!),前提条件是 render =true在申请请求值阶段,code>,
disabled =false
和 readonly =false
。
Those bound to an EditableValueHolder
component, such as UIInput
and friends (including <f:viewParam>
!), with the precondition that they are rendered="true"
, disabled="false"
and readonly="false"
during apply request values phase.
另一种可能的方法是通过 @ManagedProperty(#{param.xxx})
在a的属性上请求scoped bean或硬编码 ExternalContext#getRequestParameterMap()
访问某些bean在HTTP请求期间调用的方法。
Another possible way is through a @ManagedProperty("#{param.xxx}")
on the property of a request scoped bean or a hardcoded ExternalContext#getRequestParameterMap()
access in some bean method which is invoked during the HTTP request.
因此,当您作为开发人员将属性显式绑定到可编辑的值持有者组件时,仅呈现,非禁用/只读,或者当您作为开发人员显式将请求参数设置为属性时。在当前版本的JSF实现中绝对没有安全漏洞,可以通过HTTP方式设置未声明/未绑定属性。甚至不可能通过欺骗HTTP请求将任意值发送到 UISelectOne
或 UISelectMany
组件,它只会最终在验证错误:值无效 。
So, only when you as being the developer explicitly bind the property to an editable value holder component which is rendered, non-disabled/readonly, or when you as being the developer explicitly set a request parameter as a property. There are in the current releases of JSF implementations absolutely no security holes with reagard to the possibility of setting undeclared/unbound properties by HTTP means. It's even not possible to send an arbitrary value to a UISelectOne
or UISelectMany
component by spoofing the HTTP request, it would only end up in "Validation Error: Value is not valid".
对于旧版JSF实施中的安全漏洞,仅当您使用<导航到其他视图时code> includeViewParams =true在早于2.0.7和2.1.5的Mojarra版本中,然后是视图参数中的所有EL表达式,例如#{bean。将评估setArbitraryProperty('foo')}
。另请参见 issue 2247 。我不知道MyFaces有任何安全漏洞;这不是因为本身没有,只是因为我没有密切使用/跟踪它。
As to security holes in older JSF implementations, only and only when you're navigating to a different view using includeViewParams="true"
in a Mojarra version older than 2.0.7 and 2.1.5, then all EL expressions in view params such as #{bean.setArbitraryProperty('foo')}
will be evaluated. See also issue 2247. I'm not aware of any security holes in MyFaces; that's not because there are none per se, but simply because I don't use/track it closely.
这篇关于用户可以设置JSF支持bean中的哪些属性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!