You could implement a class that delegates to your bean but only exposes setters and getters that are appropriate, so in the case of the id then you could let the user view it (getter) but not allow the setter.
A perhaps even better approach would be to devise a proxying mechanism (perhaps configured via annotations) and have a security layer be responsible for which methods can be called - this not only would prevent url parameters being set but also prevent restricted fields of any object being updated. Marcus. -----Original Message----- From: J. Garcia [mailto:jogaco...@gmail.com] Sent: 04 July 2012 14:49 To: Struts Users Mailing List; lukasz.len...@gmail.com Subject: Re: data injection attack My action would have: public void setMyBean( MyBean myBean) {...} and I would like to avoid an injection on myBean.field3. This field could be the owner id for instance! On Wed, Jul 4, 2012 at 3:34 PM, Łukasz Lenart <lukasz.len...@googlemail.com>wrote: > Another way is to use AnnotationParameterFilterIntereptor (name > contains typo) and @Allowed and @Blocked annotations > > > Regards > -- > Łukasz > mobile +48 606 323 122 http://www.lenart.org.pl/ Warszawa JUG > conference - Confitura http://confitura.pl/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
