By removing setter for it ?
Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ 2012/7/4 J. Garcia <jogaco...@gmail.com>: > An interesting article that I found: > > http://websec.wordpress.com/2012/01/04/multiple-vulnerabilities-in-apache-struts2-and-property-oriented-programming-with-java/ > > In struts2 it is pretty easy to set attribute values of any bean field when > a form is posted, even if the field is not in the form. > For instance, in my struts2 jsp form I have fields such as: > - mybean.id, hidden > - mybean.field1, > - mybean.field2 > > With Firebug, I can easily add a mybean.field3 and set it to any value when > the form is posted. > > I've seen that Spring MVC has the concept of allowed fields to prevent data > injection attack. How can this be done in Struts2? > > J. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
