本文介绍了用户可以设置JSF支持bean中的哪些属性?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧! 问题描述 29岁程序员,3月因学历无情被辞! 我有一个支持bean( somebean ),它有三个布尔属性 a , b 和 c ,每个都有一个getter和setter。I have a backing bean (somebean) with three boolean properties a, b, and c, each has a getter and setter.我有一个表单看起来像这样:I have a form which looks like this:<h:outputText rendered="#{somebean.b}"> B is true</h:outputText><h:form id="blah"> <h:inputHidden value="#{somebean.a}" id="a"/> <h:commandLink id="zzzz" value="do it" action="#{somebean.doIt}"/></h:form>三个属性中的哪一个 a , b 和 c ?我尝试将 b = true 和 c = true 添加到POST请求中,但是 SomeBean。 setB(boolean)和 SomeBean.setC(boolean)永远不会被调用。所以也许只能设置 a - 逻辑是如果JSF中有一个设置它的字段,则允许客户端设置它。但也许我错了,它只是有一些我不知道的默认名称可以用来设置它...Which of the three properties a, b, and c can be set by the client? I tried adding b=true and c=true to the POST request, but SomeBean.setB(boolean) and SomeBean.setC(boolean) never get called. So perhaps only a can be set - the logic being that if there is a field in the JSF that sets it, the client is allowed to set it. But perhaps I'm wrong and it just has some default name that I don't know about that can be used to set it...我应该假设我的bean上的任何属性都可以由客户端设置?如果没有,我应该假设客户端可以设置哪些(因此在验证期间必须担心)?Should I just assume that any property on my bean can be set by the client? If not, which ones should I assume the client can set (and thus have to worry about during validation)?如果我有条件地呈现我的表单会发生什么?例如:Also what happens if I have my form conditionally rendered? e.g:<h:outputText rendered="#{somebean.b}"> <h:form id="blah"> <h:inputHidden value="#{somebean.a}" id="a"/> <h:commandLink id="zzzz" value="do it" action="#{somebean.doIt}"/> </h:form></h:outputText>在这种情况下, a 仍然可以设置如果 b 为假?In this case, can a still be set if b is false?按客户,我的意思是将HTTP流量发送到我的网站。例如,可能是恶意代码。By "client", I mean anything sending HTTP traffic to my site. Which could be for example, malicious code.推荐答案绑定到 EditableValueHolder 组件,例如 UIInput 和朋友(包括< f:viewParam> !),前提条件是 render =true, disabled =false和 readonly =false。Those bound to an EditableValueHolder component, such as UIInput and friends (including <f:viewParam>!), with the precondition that they are rendered="true", disabled="false" and readonly="false" during apply request values phase.另一种可能的方法是通过 @ManagedProperty(#{param.xxx})在a的属性上请求scoped bean或硬编码 ExternalContext#getRequestParameterMap()访问某些bean在HTTP请求期间调用的方法。Another possible way is through a @ManagedProperty("#{param.xxx}") on the property of a request scoped bean or a hardcoded ExternalContext#getRequestParameterMap() access in some bean method which is invoked during the HTTP request.因此,当您作为开发人员将属性显式绑定到可编辑的值持有者组件时,仅呈现,非禁用/只读,或者当您作为开发人员显式将请求参数设置为属性时。在当前版本的JSF实现中绝对没有安全漏洞,可以通过HTTP方式设置未声明/未绑定属性。甚至不可能通过欺骗HTTP请求将任意值发送到 UISelectOne 或 UISelectMany 组件,它只会最终在验证错误:值无效 。So, only when you as being the developer explicitly bind the property to an editable value holder component which is rendered, non-disabled/readonly, or when you as being the developer explicitly set a request parameter as a property. There are in the current releases of JSF implementations absolutely no security holes with reagard to the possibility of setting undeclared/unbound properties by HTTP means. It's even not possible to send an arbitrary value to a UISelectOne or UISelectMany component by spoofing the HTTP request, it would only end up in "Validation Error: Value is not valid".对于旧版JSF实施中的安全漏洞,仅当您使用 includeViewParams =true在早于2.0.7和2.1.5的Mojarra版本中,然后是视图参数中的所有EL表达式,例如#{bean。将评估setArbitraryProperty('foo')} 。另请参见 issue 2247 。我不知道MyFaces有任何安全漏洞;这不是因为本身没有,只是因为我没有密切使用/跟踪它。As to security holes in older JSF implementations, only and only when you're navigating to a different view using includeViewParams="true" in a Mojarra version older than 2.0.7 and 2.1.5, then all EL expressions in view params such as #{bean.setArbitraryProperty('foo')} will be evaluated. See also issue 2247. I'm not aware of any security holes in MyFaces; that's not because there are none per se, but simply because I don't use/track it closely. 这篇关于用户可以设置JSF支持bean中的哪些属性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持! 上岸,阿里云! 08-20 22:26