Spring security allows to protect method calls via annotacions like @Secured, @PreAuthorize, @PostFilter, but I was interested in something lighter.
On Wed, Jul 4, 2012 at 4:29 PM, Marcus Bond <mar...@marcusbond.me.uk> wrote: > You could implement a class that delegates to your bean but only exposes > setters and getters that are appropriate, so in the case of the id then you > could let the user view it (getter) but not allow the setter. > > A perhaps even better approach would be to devise a proxying mechanism > (perhaps configured via annotations) and have a security layer be > responsible for which methods can be called - this not only would prevent > url parameters being set but also prevent restricted fields of any object > being updated. > > Marcus. > > > > -----Original Message----- > From: J. Garcia [mailto:jogaco...@gmail.com] > Sent: 04 July 2012 14:49 > To: Struts Users Mailing List; lukasz.len...@gmail.com > Subject: Re: data injection attack > > My action would have: > > public void setMyBean( MyBean myBean) {...} > > and I would like to avoid an injection on myBean.field3. This field could > be the owner id for instance! > > On Wed, Jul 4, 2012 at 3:34 PM, Łukasz Lenart > <lukasz.len...@googlemail.com>wrote: > > > Another way is to use AnnotationParameterFilterIntereptor (name > > contains typo) and @Allowed and @Blocked annotations > > > > > > Regards > > -- > > Łukasz > > mobile +48 606 323 122 http://www.lenart.org.pl/ Warszawa JUG > > conference - Confitura http://confitura.pl/ > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > > For additional commands, e-mail: user-h...@struts.apache.org > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
