I am using Spring 3.2 and I am looking for a way that I can force controllers to specify which attributes allowed to be bound, so malicious users can not inject values into bound objects. Spring recommends using setAllowedFields()
to white-list / setDisallowedFields()
to black-list.
Instead of doing manually this white-list, I want to do this dinamically, so I want to bound that attributes that are visible on the form.
So is it possible to get this white-list? Is there any way that I can get the visible attributes on the form?
Thanks.
You could implement a RequestDataValueProcessor
especially the method processFormFieldValue
. You could construct a collection of allowed field names, store this in the session.
Next you would extend the ConfigurableWebBindingInitializer
and override the initBinder
method. Which would retrieve the collection and pre-configure the WebDataBinder
there.
And finally you would need some configuration to wire everything together.
Links
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.