A method in a managed bean is protected by JSF? See the code:

Managed Bean

@ManagedBean
public class My {
    public void test() {
        System.out.println("called");
    }
}

XHTML

<h:form>
    <h:commandButton rendered="true" action="#{my.test}" value="Teste" />
</h:form>

If the button is not rendered (rendered="false"), a HTTP POST request (as the button would do) can be done and call the test() method?

In other words, JSF prevents calls to managed beans methods by tampered requests?

In other words, JSF prevents calls to managed beans methods by tampered requests?

Yes.

JSF re-evaluates the component's rendered attribute during apply request values phase. If it's false, then in case of UICommand components the ActionEvent simply won't be queued, regardless of whether the (tampered) HTTP request parameter indicates that the button is being pressed.

JSF has similar safeguard against tampered requests on the disabled and readonly attributes, also those of UIInput components. And, in UISelectOne/UISelectMany components, JSF will validate if the submitted value is indeed part of the provided available options.

JSF does this all also with help of the view state. If JSF were stateless, there would be more risk that one or other may fail if those attributes suddenly become request scoped instead of view scoped.

See also:

• commandButton/commandLink/ajax action/listener method not invoked or input value not updated - point 5
• Validation Error: Value is not valid
• How to disable/enable JSF input field in JavaScript?
• What is the usefulness of statelessness in JSF?