This does sounds like a problem if you use session scoped forms. It seems to me like a good reason not to use session scoped forms and another reason to minimize use of the session in general. Sessions have other problems that arise when a user opens multiple browsers for example. It also argues for ensuring that your model layer code doesn't rely on validation done in the presentation layer (especially if it's an internet banking application). I am not saying your idea for session synchronization wouldn't work but you could work around it and you would probably be better off in the end.
Hal > -----Original Message----- > From: Marcel Kruzel [mailto:[EMAIL PROTECTED]] > Sent: Monday, July 01, 2002 2:46 AM > To: [EMAIL PROTECTED] > Subject: Security issues with Struts > > > Hello Struts developers, > > We are now developing an internet banking > application with Stuts of course. > Of course, we are highly concerned > in possible security holes in the framework > (or in the application using the framework). > I believe, there is one, that, when properly > used, can cause some troubles for developers! > > Here it is: > > Imagine a scenario, where user submits a form, > the Struts automatically populate the > form bean and then > the validation of the parameters takes place. > After that, if OK, the perform method is called. > Here, I already know, that the > params were ok, so I write the > transaction to database. The problem here > is the perform method. When precisely at the > moment of perform method call user decides > to submit the form once again (with > different values of course), the form bean > is again populated, and possibly wrong > (not validated) data might be writen to database > (by the first thread, that is not aware > of the second submit). > I am afraid, there is not a possibility to > synchronize acccess to the form, > since the population of form bean is automatic. > > I know, that the solution to the problem here is > in the perform method > to make copy of the parameters and then validate > them again. Or, I can > make validation only in the perform method, > but first I have to remove the > form bean from session, then validate > and then write to database, and then possibly > return that form bean to the session. > > Sorry for so long description, > but I tried to make myself as clear as possible. > > My preferred solution to the problem would be: > In the struts-config.xml put an attribute > to action, describing, that handling > such an action requires session synchronization. > Thus everything, starting from form population > and ending with "return mapping.findForward(...)" > would be synchronized on a session object. > (I do this synchronization on a session > anyway - in each perform method). > > So, what do You think? > > Thanx to all contributors > for such a great framework, > and enjoy the summer. > > Marcel Kruzel > Czech Republic > > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
