You are right, but the user must see the fields and I need the object with all properties for call (JPA) persist method. what's the best practice for this use case
I have one object and many roles .... any role can change a different field ... Do I create a class for any roles? Idea? Thanks Marco On Sat, Nov 12, 2011 at 7:31 PM, <jlm...@gmail.com> wrote: > The use of hidden fields to avoid the user changing those fields is a > security risk. You are still getting all the fields from the client's side, > so the user or somebody else (through a man-in-the-middle atytack) are still > able to change the value of those fields. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
