>> In the case at hand, nothing stops your user from logging on (so your
>> security checks won't catch anything) and then hand typing a URL with
>> query string parameters that maliciously or accidentally try to change
>> things in the system. If the user is successful at doing this, it's shame
>> on the app developer for listening to request parameters that you
>> shouldn't.
This is a good point. I'm finding my Actions and Forms have bucketloads
(and that's the technical term for it) of
User user;
if ((user = (User) request.getSession().getAttribute("user") == null)
return mapping.getMapping("index");
and on, and on and on. I'd like to try and find a good way to simplify this
as best that I can. (This example is required if the session times out,
other examples appear when a browser auto-fills in a URL and the
user submits it without the form fields. etc. Very bad karma in that
case.)
>> Of course, you need to take other defensive measures as well (like using
>> the transaction control support to avoid accidental or malicious resubmits
>> of the same data).
I've seen this in the example application, is there any documentation on
using it (as best as possible).
Thanks.
--
Kumera - a new Open Source Content Management System
for small to medium web sites written in Perl and using XML
http://www.cyber4.org/kumera/index.html