Announcement Announcement Module
Collapse
No announcement yet.
How do I prevent form tampering? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How do I prevent form tampering?

    In Spring MVC, how do I prevent malicious modifications of a command object's properties via form tampering or wget/curl requests?

    For example, lets say that I have a User object with username, password, and enabled properties and my business requirements state that when users register themselves, they have to be disabled by default. I know that I can create a validator to ensure that enabled is false, or that I can wrap the User with something that hides access to enabled (or hide access to enabled on User itself), but what if I don't want to do either? For instance, Maybe administrators can create Users that are enabled by default, and I don't want to code the business logic to support that in my validator, or I don't want to wrap the User object because I think it is an unwarranted layer of complexity.

    It seems like this is a pretty fundamental issue, in fact I know Rails has first-class support through its attr_protected macro (don't want to start a flame, just making an example here).

    I am looking for first-class support here, or a general way of doing this that doesn't require jumping through hoops. Is there something I am missing with Spring MVC or Spring Security here?
    Last edited by john.wheeler; Aug 1st, 2008, 09:52 PM.

  • #2
    This sounds similar to a recent question. Does http://forum.springframework.org/showthread.php?t=58212 help?

    Comment


    • #3
      Yes

      That is what I was looking for. A recent security advisory was released, and this is going to be fixed in the next 2.5.x release of Spring. Thanks.

      Comment

      Working...
      X