Announcement Announcement Module
Collapse
No announcement yet.
How to update entity partially Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Thanks Harald

    With the overhead of some session state this worked the best for me. I also added an initBinder to stop people tampering with the data:


    Code:
    	
    @InitBinder
    public void initBinder(WebDataBinder binder, HttpServletRequest request) {
    	if (request.getMethod().equals("PUT")) {
            binder.setDisallowedFields("id","username","password"); 
        }
    }

    Comment


    • #17
      Originally posted by SteveH1UK View Post
      Thanks Harald

      With the overhead of some session state this worked the best for me. I also added an initBinder to stop people tampering with the data:
      I agree.

      Data submission to Non-Editable Fields is a know issue:
      http://www.springsource.com/security/spring-mvc

      DataBinder doc:
      Note that there are potential security implications in failing to set an array of allowed fields. In the case of HTTP form POST data for example, malicious clients can attempt to subvert an application by supplying values for fields or properties that do not exist on the form. In some cases this could lead to illegal data being set on command objects or their nested objects. For this reason, it is highly recommended to specify the allowedFields property on the DataBinder.

      Comment


      • #18
        great link Harold, never looked into this page before.

        Comment


        • #19
          Even with populating an initBinder, this is better than Struts where you need to create an ActionForm which also protects you from users tampering with data.

          The only thing I do not like about this solution is the requirement for state (well for an application that migth need to scale highly). The only solution I can think of to reduce state is to check (ideally with AOP) that the user is entitled to update with the entity key (which will then be a hidden field).

          Comment


          • #20
            Example of @InitBinder in use

            Hi Steve or Harald,

            have either of you got an example of this solution working that you can share with this forum. I've encountered the same issue and would like to try out your solution.

            /KramKroc

            Comment


            • #21
              Here is a zip of a roo project (from backup command although I had to delete a few test files and images to get the zip within the forum max file size)

              Comment

              Working...
              X