struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Relph" <relp...@gmail.com>
Subject action security
Date Thu, 28 Feb 2008 15:39:42 GMT
Hi, I am concerned about security in my struts2 actions.  I am using spring
to auto-wire my actions by name, but this leads me to believe that a
malicious user can set action properties that i do not want them to.  For
example, i have a .jsp with a form input of "name".  My action has a
getter/setter for the String property "name".  this property is
automatically populated (by the parameterInterceptor?).  I also have a
userDao object on my action, also with getters/setters so that spring can
auto-wire it.  Is there anything that prevents a user from adding a form
input of "userDao.password" (just for example), and changing the password on
my userDao?  Do i need to do something to only make certain properties of my
action available to be set from request parameters?

Thanks,

-- 
Brian

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message