0

I have two managed bean type @ViewScoped. A bean lists the items of the user. Another shows extended information of an item. I'm passing the id of the item by url, it's the only way it has worked with viewscoped bean.

But I do not like this way because a user can try to change values url and see items from another user. I wonder if there is any way of passing parameters between pages is not seen by the user and avoid an extra security check.

BalusC
  • 992,635
  • 352
  • 3,478
  • 3,452
user60108
  • 3,038
  • 1
  • 18
  • 33
  • 3
    Please have a look http://stackoverflow.com/questions/20880027/passing-parameters-to-a-view-scoped-bean-in-jsf OR http://stackoverflow.com/questions/16817395/how-to-send-data-between-views-having-a-viewscoped-bean OR here is @Balusc http://stackoverflow.com/questions/25694423/pass-an-object-between-viewscoped-beans-without-using-get-params – Subodh Joshi Oct 19 '15 at 05:06

1 Answers1

0

If the suggested flash scope is not available another way to do it without an extra security check would be to use a @SessionScoped annotated bean. But please make sure you session scoped bean contains only necessary data otherwise you run into other trouble.

For Example:

@SessionScoped
public class AccessibleItems {

    private List<Items> items; // or private List<Integer> itemIds;

}

and

@ViewScoped
public class ItemView  {

   @ManagedProperty(value="#{accessibleItem}")
   private AcessibleItems accessibleItems;

}

But after all in my humble opinion do the extra security check. Because you won't have any trouble updating the data, especially when you use them in many places, and your url design is nicer.

Paul Wasilewski
  • 7,810
  • 4
  • 38
  • 49