用户可以设置JSF支持bean中的哪些属性？ [英] Which properties in a JSF backing bean can be set by a user?

问题描述

我有一个支持bean（ somebean ），它有三个布尔属性 a ， b 和 c ，每个都有一个getter和setter。

I have a backing bean (somebean) with three boolean properties a, b, and c, each has a getter and setter.

我有一个表单看起来像这样：

I have a form which looks like this:

<h:outputText rendered="#{somebean.b}">
    B is true
</h:outputText>
<h:form id="blah">
  <h:inputHidden value="#{somebean.a}" id="a"/>
  <h:commandLink id="zzzz" value="do it" action="#{somebean.doIt}"/>
</h:form>

三个属性中的哪一个 a ，<客户可以设置code> b 和 c ？我尝试将 b = true 和 c = true 添加到POST请求中，但是 SomeBean。 setB（boolean）和 SomeBean.setC（boolean）永远不会被调用。所以也许只能设置 a - 逻辑是如果JSF中有一个设置它的字段，则允许客户端设置它。但也许我错了，它只是有一些我不知道的默认名称可以用来设置它...

Which of the three properties a, b, and c can be set by the client? I tried adding b=true and c=true to the POST request, but SomeBean.setB(boolean) and SomeBean.setC(boolean) never get called. So perhaps only a can be set - the logic being that if there is a field in the JSF that sets it, the client is allowed to set it. But perhaps I'm wrong and it just has some default name that I don't know about that can be used to set it...

我应该假设我的bean上的任何属性都可以由客户端设置？如果没有，我应该假设客户端可以设置哪些（因此在验证期间必须担心）？

Should I just assume that any property on my bean can be set by the client? If not, which ones should I assume the client can set (and thus have to worry about during validation)?

如果我有条件地呈现我的表单会发生什么？例如：

Also what happens if I have my form conditionally rendered? e.g:

<h:outputText rendered="#{somebean.b}">
    <h:form id="blah">
      <h:inputHidden value="#{somebean.a}" id="a"/>
      <h:commandLink id="zzzz" value="do it" action="#{somebean.doIt}"/>
    </h:form>
</h:outputText>

在这种情况下， a 仍然可以设置如果 b 为假？

In this case, can a still be set if b is false?

按客户，我的意思是将HTTP流量发送到我的网站。例如，可能是恶意代码。

By "client", I mean anything sending HTTP traffic to my site. Which could be for example, malicious code.

推荐答案

JSF支持中的哪些属性bean可以由用户设置吗？

绑定到 EditableValueHolder 组件，例如< a href =http://docs.oracle.com/javaee/6/api/javax/faces/component/UIInput.html =nofollow noreferrer> UIInput 和朋友（包括< f：viewParam> ！），前提条件是 render =true， disabled =false和 readonly =false。

Those bound to an EditableValueHolder component, such as UIInput and friends (including <f:viewParam>!), with the precondition that they are rendered="true", disabled="false" and readonly="false" during apply request values phase.

另一种可能的方法是通过 @ManagedProperty（＃{param.xxx}）在a的属性上请求scoped bean或硬编码 ExternalContext＃getRequestParameterMap（）访问某些bean在HTTP请求期间调用的方法。

Another possible way is through a @ManagedProperty("#{param.xxx}") on the property of a request scoped bean or a hardcoded ExternalContext#getRequestParameterMap() access in some bean method which is invoked during the HTTP request.

因此，当您作为开发人员将属性显式绑定到可编辑的值持有者组件时，仅呈现，非禁用/只读，或者当您作为开发人员显式将请求参数设置为属性时。在当前版本的JSF实现中绝对没有安全漏洞，可以通过HTTP方式设置未声明/未绑定属性。甚至不可能通过欺骗HTTP请求将任意值发送到 UISelectOne 或 UISelectMany 组件，它只会最终在验证错误：值无效 。

So, only when you as being the developer explicitly bind the property to an editable value holder component which is rendered, non-disabled/readonly, or when you as being the developer explicitly set a request parameter as a property. There are in the current releases of JSF implementations absolutely no security holes with reagard to the possibility of setting undeclared/unbound properties by HTTP means. It's even not possible to send an arbitrary value to a UISelectOne or UISelectMany component by spoofing the HTTP request, it would only end up in "Validation Error: Value is not valid".

对于旧版JSF实施中的安全漏洞，仅当您使用<导航到其他视图时code> includeViewParams =true在早于2.0.7和2.1.5的Mojarra版本中，然后是视图参数中的所有EL表达式，例如＃{bean。将评估setArbitraryProperty（'foo'）} 。另请参见 issue 2247 。我不知道MyFaces有任何安全漏洞;这不是因为本身没有，只是因为我没有密切使用/跟踪它。

As to security holes in older JSF implementations, only and only when you're navigating to a different view using includeViewParams="true" in a Mojarra version older than 2.0.7 and 2.1.5, then all EL expressions in view params such as #{bean.setArbitraryProperty('foo')} will be evaluated. See also issue 2247. I'm not aware of any security holes in MyFaces; that's not because there are none per se, but simply because I don't use/track it closely.

这篇关于用户可以设置JSF支持bean中的哪些属性？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！