Brian Relph wrote:
Hi, I am concerned about security in my struts2 actions. I am using spring
to auto-wire my actions by name, but this leads me to believe that a
malicious user can set action properties that i do not want them to. For
example, i have a .jsp with a form input of "name". My action has a
getter/setter for the String property "name". this property is
automatically populated (by the parameterInterceptor?). I also have a
userDao object on my action, also with getters/setters so that spring can
auto-wire it. Is there anything that prevents a user from adding a form
input of "userDao.password" (just for example), and changing the password on
my userDao? Do i need to do something to only make certain properties of my
action available to be set from request parameters?
Thanks,
Hi Brian,
you can implement the interface "ParameterNameAware". Then, every
parameter name is passed to the method "boolean
acceptableParameterName(String name)" and the parameter is only set when
it returns true.
Cheers,
Daniel
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
