Security of form fields in *FormController

**nilesh** · Sep 13th, 2004, 10:53 AM

I am wondering, when using SimpleFormController, AbstractFormController, etc: For the properties of an object that you don't bind in your view (using spring:bind tags), is it possible for an attacker to submit these fields, or are only the fields that are bound allowed to be submitted?

**egervari** · Sep 13th, 2004, 11:27 AM

Originally Posted by nilesh

I am wondering, when using SimpleFormController, AbstractFormController, etc: For the properties of an object that you don't bind in your view (using spring:bind tags), is it possible for an attacker to submit these fields, or are only the fields that are bound allowed to be submitted?

No, they won't be mapped to the command object, just the ones spring knows about. Actually, this an important consequence because if you do not have sessions turn on (setSession( true )), the extra properties that are not bound by spring will lose their state if I remember (haven't used it in awhile). I could be wrong. By making the form use a session, you can have other properties contain data but not exposed to the view and everything should be okay.

**tareq** · Sep 15th, 2004, 02:54 AM

No, they won't be mapped to the command object, just the ones spring knows about

I am not sure this is true. I tried and I found that Spring binds all the properties with a matching input. Is there a way to prevent this ?

Thread: Security of form fields in *FormController

Thread Tools

Display

Security of form fields in *FormController

Re: Security of form fields in *FormController

Similar Threads

Best way to implement common form functionality

Spring seems to bind all form fields : security?

Javascript using Spring tags to disable form fields

Issue: Binding form fields with Map in command object

Submission of empty form fields

Posting Permissions