We need an object for example CustomerData in session. We have configured it through struts2 xml, session scope.
Base Action class has a getter and setter for this bean. getCustomerData(), setCustomerData() Since it has a setter on action class (setter is needed to put it on session thru struts2), we believe it is open to object setter attack through Form Post. One can for example post with customerData.address and struts2 would automatically set this data on the object. This attribute is suppose to be READ ONLY or ONLY System can set it, not from UI. Any idea how we can prevent this issue? I am surprised this kind of security issue is there with struts2, what are we missing? Is there a interceptor we need to configure to prevent this? Thanks
