Hi, I am concerned about security in my struts2 actions. I am using spring to auto-wire my actions by name, but this leads me to believe that a malicious user can set action properties that i do not want them to. For example, i have a .jsp with a form input of "name". My action has a getter/setter for the String property "name". this property is automatically populated (by the parameterInterceptor?). I also have a userDao object on my action, also with getters/setters so that spring can auto-wire it. Is there anything that prevents a user from adding a form input of "userDao.password" (just for example), and changing the password on my userDao? Do i need to do something to only make certain properties of my action available to be set from request parameters?
Thanks, -- Brian
