I am wondering, when using SimpleFormController, AbstractFormController, etc: For the properties of an object that you don't bind in your view (using spring:bind tags), is it possible for an attacker to submit these fields, or are only the fields that are bound allowed to be submitted?

I am wondering, when using SimpleFormController, AbstractFormController, etc: For the properties of an object that you don't bind in your view (using spring:bind tags), is it possible for an attacker to submit these fields, or are only the fields that are bound allowed to be submitted?

No, they won't be mapped to the command object, just the ones spring knows about. Actually, this an important consequence because if you do not have sessions turn on (setSession( true )), the extra properties that are not bound by spring will lose their state if I remember (haven't used it in awhile). I could be wrong. By making the form use a session, you can have other properties contain data but not exposed to the view and everything should be okay.

No, they won't be mapped to the command object, just the ones spring knows about
I am not sure this is true. I tried and I found that Spring binds all the properties with a matching input. Is there a way to prevent this ?