[
http://www.stripesframework.org/jira/browse/STS-845?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12391#comment-12391
]
Samuel Santos commented on STS-845:
-----------------------------------
On the server side you want to make sure that the value wasn't changed, but
nothing stops you to change it on the client side with tools like firebug. You
can put anything you want on it, regardless of being an encrypted value or
not...
Now, the question is that this validation is not working properly, if Stripes
detect that the value has been changed it should add a validation error and
protect the integer converter against this NPE. I even think that the integer
converter should not be called if the encrypted validation fails.
> Integer encrypted fields may throw a NPE
> ----------------------------------------
>
> Key: STS-845
> URL: http://www.stripesframework.org/jira/browse/STS-845
> Project: Stripes
> Issue Type: Bug
> Components: Validation
> Affects Versions: Release 1.5.6
> Reporter: Samuel Santos
>
> I have an integer property that cannot be changed by the client:
> {code}
> @ValidateNestedProperties({
> [...]
> @Validate(field = "userProfile.id", required = true, encrypted = true, on
> = { "update" }),
> [...]
> })
> private User user;
> {code}
> If I change the value of this hidden field (with firebug) I get the following
> error:
> {noformat}
> 16:48:17,656 WARN [net.sourceforge.stripes.util.CryptoUtil] Input was not
> encrypted with the current encryption key: sacsdfsa
> 16:48:17,656 WARN
> [net.sourceforge.stripes.controller.DefaultActionBeanPropertyBinder] Looks
> like type converter
> net.sourceforge.stripes.validation.IntegerTypeConverter@5dec2e51 threw an
> exception.: java.lang.NullPointerException
> at
> net.sourceforge.stripes.validation.NumberTypeConverterSupport.preprocess(NumberTypeConverterSupport.java:94)
> [:1.5.6]
> at
> net.sourceforge.stripes.validation.NumberTypeConverterSupport.parse(NumberTypeConverterSupport.java:68)
> [:1.5.6]
> at
> net.sourceforge.stripes.validation.IntegerTypeConverter.convert(IntegerTypeConverter.java:36)
> [:1.5.6]
> at
> net.sourceforge.stripes.validation.IntegerTypeConverter.convert(IntegerTypeConverter.java:25)
> [:1.5.6]
> at
> net.sourceforge.stripes.controller.DefaultActionBeanPropertyBinder.convert(DefaultActionBeanPropertyBinder.java:792)
> [:1.5.6]
> at
> net.sourceforge.stripes.controller.DefaultActionBeanPropertyBinder.bind(DefaultActionBeanPropertyBinder.java:182)
> [:1.5.6]
> at
> net.sourceforge.stripes.controller.DispatcherHelper$3.intercept(DispatcherHelper.java:218)
> [:1.5.6]
> at
> net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:158)
> [:1.5.6]
> at
> org.stripesstuff.plugin.security.SecurityInterceptor.interceptBindingAndValidation(SecurityInterceptor.java:158)
> [:139]
> at
> org.stripesstuff.plugin.security.SecurityInterceptor.intercept(SecurityInterceptor.java:123)
> [:139]
> at
> net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
> [:1.5.6]
> at
> net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
> [:1.5.6]
> at
> net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
> [:1.5.6]
> at
> net.sourceforge.stripes.controller.ExecutionContext.wrap(ExecutionContext.java:74)
> [:1.5.6]
> at
> net.sourceforge.stripes.controller.DispatcherHelper.doBindingAndValidation(DispatcherHelper.java:214)
> [:1.5.6]
> at
> net.sourceforge.stripes.controller.DispatcherServlet.doBindingAndValidation(DispatcherServlet.java:254)
> [:1.5.6]
> at
> net.sourceforge.stripes.controller.DispatcherServlet.service(DispatcherServlet.java:148)
> [:1.5.6]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> [:1.0.0.Final]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:324)
> [:6.0.0.Final]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242)
> [:6.0.0.Final]
> at
> net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:247)
> [:1.5.6]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:274)
> [:6.0.0.Final]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242)
> [:6.0.0.Final]
> at
> com.opensymphony.sitemesh.webapp.SiteMeshFilter.obtainContent(SiteMeshFilter.java:129)
> [:]
> at
> com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:77)
> [:]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:274)
> [:6.0.0.Final]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242)
> [:6.0.0.Final]
> at com.samaxes.filter.NoCacheFilter.doFilter(NoCacheFilter.java:65)
> [:2.0]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:274)
> [:6.0.0.Final]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242)
> [:6.0.0.Final]
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
> [:6.0.0.Final]
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> [:6.0.0.Final]
> at
> org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:181)
> [:6.0.0.Final]
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:593)
> [:6.0.0.Final]
> at
> org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.event(CatalinaContext.java:285)
> [:1.1.0.Final]
> at
> org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.invoke(CatalinaContext.java:261)
> [:1.1.0.Final]
> at
> org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:88)
> [:6.0.0.Final]
> at
> org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:100)
> [:6.0.0.Final]
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> [:6.0.0.Final]
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> [:6.0.0.Final]
> at
> org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
> [:6.0.0.Final]
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> [:6.0.0.Final]
> at
> org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke(ActiveRequestResponseCacheValve.java:53)
> [:6.0.0.Final]
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362)
> [:6.0.0.Final]
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
> [:6.0.0.Final]
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:654)
> [:6.0.0.Final]
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951)
> [:6.0.0.Final]
> at java.lang.Thread.run(Thread.java:662) [:1.6.0_25]
> {noformat}
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Doing More with Less: The Next Generation Virtual Desktop
What are the key obstacles that have prevented many mid-market businesses
from deploying virtual desktops? How do next-generation virtual desktops
provide companies an easier-to-deploy, easier-to-manage and more affordable
virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development
