Depends on if you are using client side or server side state. Technically with client side state the user can invoke any action. With server side state there is no way. If you are really concerned, at security checks to your action methods or use JBoss-Seam with EJB3 managed security.
-Andrew On 5/5/06, Cagatay Civici <[EMAIL PROTECTED]> wrote:
Hi, At first glance I dont think it is possible since JSF uses http post. Cagatay On 5/5/06, Dave Brondsema < [EMAIL PROTECTED]> wrote: > > Is it secure to limit access to a backing bean action simply by using > the 'rendered' attribute to control when it is displayed? Or is it > possible for a malicious user to construct a URL that still invokes the > backing bean method, even when the commandButton for it is not rendered > for that user? > > Thanks, > > -- > Dave Brondsema > Software Developer > Cornerstone University > > > >
