[new to Spring] PetClinic with jSession

[Gideon]

Hi,

i have just testet with the sample PetClinic spring application and everything is working nice but there ist still a first question.

my question is, that some "jsp" forms put the Data with GET und some with POST and the "ID" s where allways there as hidden fields.

for security reasons this is not a god solution.
in Standard JSP i use a Session to save the data but how i can use a session for this JSP in Spring? what i have ti change in PetClinic example to work with this ?

Thanks,

mfg Gideon

Sorry this are my first impression with Spring and sorry for my bad english (i hope by lerning Spring, getting a better english)

[Gideon]

ok i have see that in MultiActionController i can add a HttpSession, i think that should du the right.

is there a example for using HttpSession ?

Thanks.

mfg Gideon

[Ben Alex]

There's no security problem. The "id" can be avoided by using a session form. ie: in the constructor of your controller, "setSessionForm(true)".

As for some fields not being bindable to the form backing object, in the protected void initBinder() method just use "binder.setAllowedFields(String[] listOfAllowedFields)".

[Gideon]

ok the Session is working, but at time only when i set the ownerId Attribute hard to the Session.

How can i put the messageId witch is in the Model of the ModelAndView object to the session, or how can i get the Model from this Object for work with JavaCode inside JSPs ?

Or is there a better way to realize Session support in Spring ?

mfg Gideon

[Gideon]

Hi,

There's no security problem. The "id" can be avoided by using a session form. ie: in the constructor of your controller, "setSessionForm(true)".

in the Spring PetClinic sample application all controllers have setSessionForm("true")

my Problem is just this link:
http://www.springframework.org/webap...m?ownerId=1992
the ownerid comes from the findOwnerForm over a hidden field, but now it is in the url and so the user can change this.
if i put this id into a session the the user will never see them and will never be able to chenge them.

mfg Gideon

[Gideon]

or better do the following with PetClinic application:

select a Owner, get the OwnerId by viewing the source code:

now edit a pet
in the source code there is still the ownerid as a hidden input field.

so when you wish to make some that suld not work, you send the Pet Fields (per Example with a other application) back to the server but with a other Ownerid
and so a other owner have maybe a pet that he realy not owns.

the is just a small sample but in a other application this can be verry bad, and so ia have put als informations like this ownerid into a session.

mfg Gideon

i hope i wrote what i mean :?

[katentim]

some "jsp" forms put the Data with GET und some with POST and the "ID" s where allways there as hidden fields. for security reasons this is not a god solution.

If your point is that the data shouldn't be submitted, then the point is invalid. Any hacker can submit whatever data they want. Your application has to handle that. Check the user has authorisation to do what they are trying to do.

If your point is that the ID is left in the browsers URL history, then I'd suggest 2 things:
1) Provide an ID without business meaning (as should be the case anyway)
2) Override AbstractFormController's isFormSubmission(HttpServletRequest req) and always post the data

so when you wish to make some that suld not work, you send the Pet Fields (per Example with a other application) back to the server but with a other Ownerid
and so a other owner have maybe a pet that he realy not owns.

Again, you application should be able to handle this. Storing ownerid in the session doesn't solve anything, as at some point you have to select the owner from the search results. Some Id has to be sent to the server...

[Gideon]

Hi,

If your point is that the data shouldn't be submitted, then the point is invalid. Any hacker can submit whatever data they want. Your application has to handle that. Check the user has authorisation to do what they are trying to do.

If your point is that the ID is left in the browsers URL history, then I'd suggest 2 things:
1) Provide an ID without business meaning (as should be the case anyway)
2) Override AbstractFormController's isFormSubmission(HttpServletRequest req) and always post the data

ok your are right, i had a "thinking mistake".
the ID is only for identifying a object (a PRIMARY KEY), post forms should even be better because get is depraced from html 4.0

Again, you application should be able to handle this. Storing ownerid in the session doesn't solve anything, as at some point you have to select the owner from the search results. Some Id has to be sent to the server...

yes correct, i will store the owner in session and will create a loginform witch will allways be shown if no owner was found, and if a owner will edit something every form must check if the owner has the right to change this object befor commiting them to database..

As for some fields not being bindable to the form backing object, in the protected void initBinder() method just use "binder.setAllowedFields(String[] listOfAllowedFields)".

did this mean, that i can put field names for witch it is allowed to change them "into the binder" and all other changes on other fields are ignored?
so i can create a session form, put all allowed field into the binder and so a user have no chance to override other data (because auf id change p.e.)?

thank your for your help, by and by i understand how Spring and Spring MVC works.

mfg Gideon