In JSF, What is the best way to prevent Form tampering?

Question

We are using JSF 1.x with server-side state saving turned on. We have an issue where a malicious user, implemented as a web-bot, can submit a page w/o submitting all fields

Answer 1

In JSF 1.x should already not be possible if those fields were set explicitly with required="true". If you omit this and/or replace by a customized validator or do the validation inside bean action method instead, then bots will indeed be able to tamper the form.

So to fix this, add explicitly required="true" to the required fields with a hard server-side value (and thus not e.g. required="#{not empty param.foo}" or so where the client/bot can control the param.foo). As the view state is stored at the server side, there's no way for a webbot to reveal/modify the state.

At least, that's the theory. Or it must be a very smart webbot or maybe a (old?) bug/exploit in the JSF impl/version used in your webapp. The latest JSF 1.x can be download here.

---

Update: for a JSF 2.x targeted answer, head to Validator skipped when input is removed in client – is this as per JSF specification? In a nutshell, it's possible in JSF 2.x, and this can (is supposed to) be guarded by putting bean validation or DB constraints.