0

I am using Spring 3.2 and I am looking for a way that I can force controllers to specify which attributes allowed to be bound, so malicious users can not inject values into bound objects. Spring recommends using setAllowedFields() to white-list / setDisallowedFields() to black-list.

Instead of doing manually this white-list, I want to do this dinamically, so I want to bound that attributes that are visible on the form.

So is it possible to get this white-list? Is there any way that I can get the visible attributes on the form?

Thanks.

AnnH
  • 43
  • 1
  • 6
  • Can you explain a little better what you are trying to do? I don't quite understand what you are trying to solve here. The `initBinder()` is used to instruct Spring how to convert the String data from the UI post into your domain object/model attribute. – CodeChimp Nov 07 '13 at 12:13
  • Oh, I'm sorry. So lets say I have a form that contains firstname, lastname, is administrator or not(lets say isAdministrator). Firstname and lastname are visible so users can modify these two parameters. However they don't see the isAdministrator attribute, sending a specific request they can change it. I want to retrieve the visible attributes dinamically, because I have a large application, and creating a whitelist/blacklist manually would be tendous work. I am using the 'ConfigurableWebBindingInitializer' 'initBinder()' method, this way I can globally force the controllers. – AnnH Nov 07 '13 at 13:33
  • If you are putting the Model Atttribute in session, why are you putting isAdministrator on the page at all? If you set it in the Model Attribute, and have it set as a Session attribute, then the value will remain everywhere, and wont be visible at all to the user. – CodeChimp Nov 07 '13 at 17:06

1 Answers1

0

You could implement a RequestDataValueProcessor especially the method processFormFieldValue. You could construct a collection of allowed field names, store this in the session.

Next you would extend the ConfigurableWebBindingInitializer and override the initBinder method. Which would retrieve the collection and pre-configure the WebDataBinder there.

And finally you would need some configuration to wire everything together.

Links

  • RequestDataValueProcessor javadoc
  • ConfigurableWebBindingInitializer javadoc
M. Deinum
  • 115,695
  • 22
  • 220
  • 224
  • Can I ask you how 'RequestDataValueProcessor' works and how its method get called? I've noticed that it has four methods and I have to all of them implement. What is the differences between them? – AnnH Nov 07 '13 at 14:07
  • The `RequestDataValueProcessor` is called by Springs form tag library (if one is found in the `ApplicationContext` of the `DispatcherServlet`). You might want to checkout the javadoc (add a link to the answer). – M. Deinum Nov 07 '13 at 14:10