stackoom
  简体   繁体   中英

Creating global initBinder using Spring

 原文  2013-11-07 11:59:29       java/ spring/ spring-mvc/ spring-data/ spring-mvc-initbinders

Question

I am using Spring 3.2 and I am looking for a way that I can force controllers to specify which attributes allowed to be bound, so malicious users can not inject values into bound objects. Spring recommends using setAllowedFields() to white-list / setDisallowedFields() to black-list.

Instead of doing manually this white-list, I want to do this dinamically, so I want to bound that attributes that are visible on the form.

So is it possible to get this white-list? Is there any way that I can get the visible attributes on the form?

Thanks.

1 answers

solution1
 0  2013-11-07 13:20:46

You could implement a RequestDataValueProcessor especially the method processFormFieldValue . You could construct a collection of allowed field names, store this in the session.

Next you would extend the ConfigurableWebBindingInitializer and override the initBinder method. Which would retrieve the collection and pre-configure the WebDataBinder there.

And finally you would need some configuration to wire everything together.

Links

  • RequestDataValueProcessor javadoc
  • ConfigurableWebBindingInitializer javadoc

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring InitBinder spring initBinder and webbindinginitializer example Issue with initbinder in spring 3 Spring @Validated and @InitBinder How spring InitBinder works? Using InitBinder with command objects What is the order of executing @ModelAttribute and @InitBinder in spring mvc? Spring @initBinder method to be called only once inside a controller Spring REStful web service @initbinder not allowing other validation Using global scope in spring mvc
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM