Why worry if an object at your view layer gets a value set on it? Your real processing should be occurring at a service layer underneath the view layer. Only copy data from the view down into your application if you really need for it to be copied down. jk
On Tue, Jun 30, 2009 at 6:40 PM, smart acer <smarta...@gmail.com> wrote: > We need an object for example CustomerData in session. We have configured > it > through struts2 xml, session scope. > > Base Action class has a getter and setter for this bean. getCustomerData(), > setCustomerData() > > Since it has a setter on action class (setter is needed to put it on > session > thru struts2), we believe it is open to object setter attack through Form > Post. One can for example post with customerData.address and struts2 would > automatically set this data on the object. This attribute is suppose to be > READ ONLY or ONLY System can set it, not from UI. > > Any idea how we can prevent this issue? I am surprised this kind of > security > issue is there with struts2, what are we missing? Is there a interceptor we > need to configure to prevent this? > > Thanks > -- Jim Kiley Senior Technical Consultant | Summa [p] 412.258.3346 http://www.summa-tech.com
