I am looking for a manipulation-resistant validation of user input.
<p:inputText id=myinputText maxlength="16" value="#{basicView.text}" />
The client-side limitation of input like maxlength="16" or validation on submit can be tricked by JavaScript. Can I avoid that the attacker initializes basicView.text or parameters of used Primefaces server-side validators with 1GB by following code:
$("#myinputText").val('x'.repeat(1024*1024*1024));
What is the best way to prevent that attacker causes an OutOfMemory?
Protection against issues like this is always 'multi layer'
Client-side manipulation resistence is impossible wiht the current state of browsers (nor do I think it will change in the future).
Your application is partly protected by having JSF do a server-side validation as well.
If you think this protection is not enough, most java-ee servers (and servlet containers) have a 'maximum post size' protection as well. Normal defaults are in the 10MB range. If you set this higher like in your case for allowing large files to be uploaded via http, then check if you can configure this on a per url basis and if not, maybe on a per application basis so you can e.g. split the application in two with a separate upload part.
It is (always?) good to have an additional layer in between that