struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J. Garcia" <jogaco...@gmail.com>
Subject Re: data injection attack
Date Wed, 04 Jul 2012 14:40:51 GMT
Spring security allows to protect method calls via annotacions like
@Secured, @PreAuthorize, @PostFilter, but I was interested in something
lighter.

On Wed, Jul 4, 2012 at 4:29 PM, Marcus Bond <marcus@marcusbond.me.uk> wrote:

> You could implement a class that delegates to your bean but only exposes
> setters and getters that are appropriate, so in the case of the id then you
> could let the user view it (getter) but not allow the setter.
>
> A perhaps even better approach would be to devise a proxying mechanism
> (perhaps configured via annotations) and have a security layer be
> responsible for which methods can be called - this not only would prevent
> url parameters being set but also prevent restricted fields of any object
> being updated.
>
> Marcus.
>
>
>
> -----Original Message-----
> From: J. Garcia [mailto:jogaco.en@gmail.com]
> Sent: 04 July 2012 14:49
> To: Struts Users Mailing List; lukasz.lenart@gmail.com
> Subject: Re: data injection attack
>
> My action would have:
>
> public void setMyBean( MyBean myBean) {...}
>
> and I would like to avoid an injection on myBean.field3. This field could
> be the owner id for instance!
>
> On Wed, Jul 4, 2012 at 3:34 PM, Łukasz Lenart
> <lukasz.lenart@googlemail.com>wrote:
>
> > Another way is to use AnnotationParameterFilterIntereptor (name
> > contains typo) and @Allowed and @Blocked annotations
> >
> >
> > Regards
> > --
> > Łukasz
> > mobile +48 606 323 122 http://www.lenart.org.pl/ Warszawa JUG
> > conference - Confitura http://confitura.pl/
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message