Hi, Because it's easier for beginners, I guess. You can use @StrictBinding to avoid unintended binding.
http://stripes.sourceforge.net/docs/current/javadoc/net/sourceforge/stripes/action/StrictBinding.html Regards, Iwao on 10/03/26 3:13 Caine Lai said the following: > I've been using Stripes for a couple of years now and love it. However, > I have recently been thinking about some security problems with binding > directly into a domain model in action beans. The problem is that > Stripes will bind to properties even if there is no @Validate annotation > on a field. > > Imagine the following domain object, simplified for demonstration purposes: > > public class User { > > private String role, email; > > public void setRole(String role) { this.role = role; } > > public String getRole() { return this.role } > > public void setEmail(String email) { this.email= email; } > > public String getEmail() { return this.email } > } > > Now in my action bean, I use a user object for an update form and define > some validators to it: > > @ValidateNestedProperties({ > @Validate(field = "email", required = true, maxlength = > ModelConstants.EMAIL_MAX_LENGTH, converter=EmailTypeConverter.class), > }) > private User user; > > public Resolution update() { > user.merge(); > } > > Now if I am a regular user with the "USER" role, I can request the > following url: > http://www.someserver.com/context/action_mapping/update?user.email=someem...@somedomain.com&role=ADMIN > > <http://www.someserver.com/context/action_mapping/update?user.email=someem...@somedomain.com&role=ADMIN> > > Now even though I do not specify a validator on the role field, Stripes > will still bind to that field and the user has just elevated their > privileges to ADMIN. Again, simplified example but this could pose all > kinds of security holes and problems in an application. > > Is there a reason Stripes binds to properties even when there is no > validator or type converter defined on the property? ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users
