Security of form fields in *FormController
I am wondering, when using SimpleFormController, AbstractFormController, etc: For the properties of an object that you don't bind in your view (using spring:bind tags), is it possible for an attacker to submit these fields, or are only the fields that are bound allowed to be submitted?
Re: Security of form fields in *FormController
No, they won't be mapped to the command object, just the ones spring knows about. Actually, this an important consequence because if you do not have sessions turn on (setSession( true )), the extra properties that are not bound by spring will lose their state if I remember (haven't used it in awhile). I could be wrong. By making the form use a session, you can have other properties contain data but not exposed to the view and everything should be okay.
Originally Posted by nilesh