Re: data injection attack

2012-07-04 Thread J. Garcia
2 14:49 > To: Struts Users Mailing List; lukasz.len...@gmail.com > Subject: Re: data injection attack > > My action would have: > > public void setMyBean( MyBean myBean) {...} > > and I would like to avoid an injection on myBean.field3. This field could > be the ow

RE: data injection attack

2012-07-04 Thread Marcus Bond
...@gmail.com] Sent: 04 July 2012 14:49 To: Struts Users Mailing List; lukasz.len...@gmail.com Subject: Re: data injection attack My action would have: public void setMyBean( MyBean myBean) {...} and I would like to avoid an injection on myBean.field3. This field could be the owner id for instance! On Wed

Re: data injection attack

2012-07-04 Thread J. Garcia
Implementing the ParameterNameAware interface with white/black list seems the best solution. Thanks, J. On Wed, Jul 4, 2012 at 3:51 PM, Dave Newton wrote: > Then whitelist/blacklist. > > Or don't expose sensitive data directly to the user. > > Dave > > (pardon brevity, typos, and top-quoting; on

Re: data injection attack

2012-07-04 Thread Dave Newton
Then whitelist/blacklist. Or don't expose sensitive data directly to the user. Dave (pardon brevity, typos, and top-quoting; on cell) On Jul 4, 2012 8:49 AM, "J. Garcia" wrote: > My action would have: > > public void setMyBean( MyBean myBean) {...} > > and I would like to avoid an injection on

Re: data injection attack

2012-07-04 Thread J. Garcia
My action would have: public void setMyBean( MyBean myBean) {...} and I would like to avoid an injection on myBean.field3. This field could be the owner id for instance! On Wed, Jul 4, 2012 at 3:34 PM, Łukasz Lenart wrote: > Another way is to use AnnotationParameterFilterIntereptor (name > cont

Re: data injection attack

2012-07-04 Thread Łukasz Lenart
Another way is to use AnnotationParameterFilterIntereptor (name contains typo) and @Allowed and @Blocked annotations Regards -- Łukasz mobile +48 606 323 122 http://www.lenart.org.pl/ Warszawa JUG conference - Confitura http://confitura.pl/ --

Re: data injection attack

2012-07-04 Thread Łukasz Lenart
You can always implement ParameterNameAware interface and boolean acceptableParameterName(String parameterName); Regards -- Łukasz mobile +48 606 323 122 http://www.lenart.org.pl/ Warszawa JUG conference - Confitura http://confitura.pl/ --

Re: data injection attack

2012-07-04 Thread Miguel Almeida
Lukas: that's not always viable though. You might need a setter for your model object elsewhere, but don't want that action to set that property. On Wed, 2012-07-04 at 14:57 +0200, Lukasz Lenart wrote: > By removing setter for it ? > > > Regards >

Re: data injection attack

2012-07-04 Thread Lukasz Lenart
ug, I can easily add a mybean.field3 and set it to any value when > the form is posted. > > I've seen that Spring MVC has the concept of allowed fields to prevent data > injection attack. How can this be done in Struts2? > > J.

data injection attack

2012-07-04 Thread J. Garcia
. For instance, in my struts2 jsp form I have fields such as: - mybean.id, hidden - mybean.field1, - mybean.field2 With Firebug, I can easily add a mybean.field3 and set it to any value when the form is posted. I've seen that Spring MVC has the concept of allowed fields to prevent data inje