struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Baldes ...@open.ch>
Subject Re: action security
Date Thu, 28 Feb 2008 16:05:00 GMT
Brian Relph wrote:
> Hi, I am concerned about security in my struts2 actions.  I am using spring
> to auto-wire my actions by name, but this leads me to believe that a
> malicious user can set action properties that i do not want them to.  For
> example, i have a .jsp with a form input of "name".  My action has a
> getter/setter for the String property "name".  this property is
> automatically populated (by the parameterInterceptor?).  I also have a
> userDao object on my action, also with getters/setters so that spring can
> auto-wire it.  Is there anything that prevents a user from adding a form
> input of "userDao.password" (just for example), and changing the password on
> my userDao?  Do i need to do something to only make certain properties of my
> action available to be set from request parameters?
> 
> Thanks,
> 

Hi Brian,

you can implement the interface "ParameterNameAware". Then, every 
parameter name is passed to the method "boolean 
acceptableParameterName(String name)" and the parameter is only set when 
it returns true.
Cheers,
Daniel

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message