Hello Struts developers, We are now developing an internet banking application with Stuts of course. Of course, we are highly concerned in possible security holes in the framework (or in the application using the framework). I believe, there is one, that, when properly used, can cause some troubles for developers!
Here it is: Imagine a scenario, where user submits a form, the Struts automatically populate the form bean and then the validation of the parameters takes place. After that, if OK, the perform method is called. Here, I already know, that the params were ok, so I write the transaction to database. The problem here is the perform method. When precisely at the moment of perform method call user decides to submit the form once again (with different values of course), the form bean is again populated, and possibly wrong (not validated) data might be writen to database (by the first thread, that is not aware of the second submit). I am afraid, there is not a possibility to synchronize acccess to the form, since the population of form bean is automatic. I know, that the solution to the problem here is in the perform method to make copy of the parameters and then validate them again. Or, I can make validation only in the perform method, but first I have to remove the form bean from session, then validate and then write to database, and then possibly return that form bean to the session. Sorry for so long description, but I tried to make myself as clear as possible. My preferred solution to the problem would be: In the struts-config.xml put an attribute to action, describing, that handling such an action requires session synchronization. Thus everything, starting from form population and ending with "return mapping.findForward(...)" would be synchronized on a session object. (I do this synchronization on a session anyway - in each perform method). So, what do You think? Thanx to all contributors for such a great framework, and enjoy the summer. Marcel Kruzel Czech Republic -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
