struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Relph" <relp...@gmail.com>
Subject Re: action security
Date Thu, 28 Feb 2008 16:24:06 GMT
So i guess this is a legitimate security concern.  Is there a cleaner way to
do this?  Is there annotations support for it?

On Thu, Feb 28, 2008 at 10:05 AM, Daniel Baldes <db@open.ch> wrote:

> Brian Relph wrote:
> > Hi, I am concerned about security in my struts2 actions.  I am using
> spring
> > to auto-wire my actions by name, but this leads me to believe that a
> > malicious user can set action properties that i do not want them to.
>  For
> > example, i have a .jsp with a form input of "name".  My action has a
> > getter/setter for the String property "name".  this property is
> > automatically populated (by the parameterInterceptor?).  I also have a
> > userDao object on my action, also with getters/setters so that spring
> can
> > auto-wire it.  Is there anything that prevents a user from adding a form
> > input of "userDao.password" (just for example), and changing the
> password on
> > my userDao?  Do i need to do something to only make certain properties
> of my
> > action available to be set from request parameters?
> >
> > Thanks,
> >
>
> Hi Brian,
>
> you can implement the interface "ParameterNameAware". Then, every
> parameter name is passed to the method "boolean
> acceptableParameterName(String name)" and the parameter is only set when
> it returns true.
> Cheers,
> Daniel
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>


-- 
Brian

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message