So i guess this is a legitimate security concern. Is there a cleaner way to do this? Is there annotations support for it?
On Thu, Feb 28, 2008 at 10:05 AM, Daniel Baldes <[EMAIL PROTECTED]> wrote: > Brian Relph wrote: > > Hi, I am concerned about security in my struts2 actions. I am using > spring > > to auto-wire my actions by name, but this leads me to believe that a > > malicious user can set action properties that i do not want them to. > For > > example, i have a .jsp with a form input of "name". My action has a > > getter/setter for the String property "name". this property is > > automatically populated (by the parameterInterceptor?). I also have a > > userDao object on my action, also with getters/setters so that spring > can > > auto-wire it. Is there anything that prevents a user from adding a form > > input of "userDao.password" (just for example), and changing the > password on > > my userDao? Do i need to do something to only make certain properties > of my > > action available to be set from request parameters? > > > > Thanks, > > > > Hi Brian, > > you can implement the interface "ParameterNameAware". Then, every > parameter name is passed to the method "boolean > acceptableParameterName(String name)" and the parameter is only set when > it returns true. > Cheers, > Daniel > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Brian
