Which properties in a JSF backing bean can be set by a user?

Question

I have a backing bean (somebean) with three boolean properties a, b, and c, each has a getter and setter.

I have

Answer 1

Which properties in a JSF backing bean can be set by a user?

Those bound to an EditableValueHolder component, such as UIInput and friends (including <f:viewParam>!), with the precondition that they are rendered="true", disabled="false" and readonly="false" during apply request values phase.

Another possible way is through a @ManagedProperty("#{param.xxx}") on the property of a request scoped bean or a hardcoded ExternalContext#getRequestParameterMap() access in some bean method which is invoked during the HTTP request.

So, only when you as being the developer explicitly bind the property to an editable value holder component which is rendered, non-disabled/readonly, or when you as being the developer explicitly set a request parameter as a property. There are in the current releases of JSF implementations absolutely no security holes with reagard to the possibility of setting undeclared/unbound properties by HTTP means. It's even not possible to send an arbitrary value to a UISelectOne or UISelectMany component by spoofing the HTTP request, it would only end up in "Validation Error: Value is not valid".

---

As to security holes in older JSF implementations, only and only when you're navigating to a different view using includeViewParams="true" in a Mojarra version older than 2.0.7 and 2.1.5, then all EL expressions in view params such as #{bean.setArbitraryProperty('foo')} will be evaluated. See also issue 2247. I'm not aware of any security holes in MyFaces; that's not because there are none per se, but simply because I don't use/track it closely.