You could implement a class that delegates to your bean but only exposes setters and getters that are appropriate, so in the case of the id then you could let the user view it (getter) but not allow the setter.
A perhaps even better approach would be to devise a proxying mechanism (perhaps configured via annotations) and have a security layer be responsible for which methods can be called - this not only would prevent url parameters being set but also prevent restricted fields of any object being updated. Marcus. -----Original Message----- From: J. Garcia [mailto:[email protected]] Sent: 04 July 2012 14:49 To: Struts Users Mailing List; [email protected] Subject: Re: data injection attack My action would have: public void setMyBean( MyBean myBean) {...} and I would like to avoid an injection on myBean.field3. This field could be the owner id for instance! On Wed, Jul 4, 2012 at 3:34 PM, Łukasz Lenart <[email protected]>wrote: > Another way is to use AnnotationParameterFilterIntereptor (name > contains typo) and @Allowed and @Blocked annotations > > > Regards > -- > Łukasz > mobile +48 606 323 122 http://www.lenart.org.pl/ Warszawa JUG > conference - Confitura http://confitura.pl/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
