Announcement Announcement Module
Collapse
No announcement yet.
Security of form fields in *FormController Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security of form fields in *FormController

    I am wondering, when using SimpleFormController, AbstractFormController, etc: For the properties of an object that you don't bind in your view (using spring:bind tags), is it possible for an attacker to submit these fields, or are only the fields that are bound allowed to be submitted?

  • #2
    Re: Security of form fields in *FormController

    Originally posted by nilesh
    I am wondering, when using SimpleFormController, AbstractFormController, etc: For the properties of an object that you don't bind in your view (using spring:bind tags), is it possible for an attacker to submit these fields, or are only the fields that are bound allowed to be submitted?
    No, they won't be mapped to the command object, just the ones spring knows about. Actually, this an important consequence because if you do not have sessions turn on (setSession( true )), the extra properties that are not bound by spring will lose their state if I remember (haven't used it in awhile). I could be wrong. By making the form use a session, you can have other properties contain data but not exposed to the view and everything should be okay.

    Comment


    • #3
      No, they won't be mapped to the command object, just the ones spring knows about
      I am not sure this is true. I tried and I found that Spring binds all the properties with a matching input. Is there a way to prevent this ?

      Comment

      Working...
      X