Thanks Leo interesting points. Imo if you have a security issue with a field being disabled then you have a really weird app imo.
If JSF was used to define disabled then javascript hacks needs to be prevented but if disabled was never set then I can't think of a use case where it would be a risk if the client was allowed to disable it. Also I wonder if myfaces even works like this consistently across components and 2.x versions? I will test it a little more tomorrow I think. On 10 June 2014 22:55, Howard W. Smith, Jr. <smithh032...@gmail.com> wrote: > On Tue, Jun 10, 2014 at 4:38 PM, Leonardo Uribe <lu4...@gmail.com> wrote: > > > The thing to remember here is "never trust on the client". > > No matter how intelligent we want the client to be, in cases like this > one > > the state on the server is the king, and that will not change (because we > > can't!). > > > > and this is what we are here for and this is the reason why we love Java > 'State' Faces, I mean Java 'Server' Faces... or Java State-on-Server Faces. > the UI is maintained on the server... client is just a UI or presentation > of what is maintained on server. :) >