Of course it is that easy. =) How did I miss this? Thanks a ton!
On Thu, Mar 25, 2010 at 11:31 AM, Iwao AVE! <haraw...@gmail.com> wrote:
> Hi,
>
> Because it's easier for beginners, I guess.
> You can use @StrictBinding to avoid unintended binding.
>
>
> http://stripes.sourceforge.net/docs/current/javadoc/net/sourceforge/stripes/action/StrictBinding.html
>
> Regards,
> Iwao
>
> on 10/03/26 3:13 Caine Lai said the following:
> > I've been using Stripes for a couple of years now and love it. However,
> > I have recently been thinking about some security problems with binding
> > directly into a domain model in action beans. The problem is that
> > Stripes will bind to properties even if there is no @Validate annotation
> > on a field.
> >
> > Imagine the following domain object, simplified for demonstration
> purposes:
> >
> > public class User {
> >
> > private String role, email;
> >
> > public void setRole(String role) { this.role = role; }
> >
> > public String getRole() { return this.role }
> >
> > public void setEmail(String email) { this.email= email; }
> >
> > public String getEmail() { return this.email }
> > }
> >
> > Now in my action bean, I use a user object for an update form and define
> > some validators to it:
> >
> > @ValidateNestedProperties({
> > @Validate(field = "email", required = true, maxlength =
> > ModelConstants.EMAIL_MAX_LENGTH, converter=EmailTypeConverter.class),
> > })
> > private User user;
> >
> > public Resolution update() {
> > user.merge();
> > }
> >
> > Now if I am a regular user with the "USER" role, I can request the
> > following url:
> >
> http://www.someserver.com/context/action_mapping/update?user.email=someem...@somedomain.com&role=ADMIN
> > <
> http://www.someserver.com/context/action_mapping/update?user.email=someem...@somedomain.com&role=ADMIN
> >
> >
> > Now even though I do not specify a validator on the role field, Stripes
> > will still bind to that field and the user has just elevated their
> > privileges to ADMIN. Again, simplified example but this could pose all
> > kinds of security holes and problems in an application.
> >
> > Is there a reason Stripes binds to properties even when there is no
> > validator or type converter defined on the property?
>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Stripes-users mailing list
> Stripes-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/stripes-users
>
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users
