In Web Flow 2, simply declare bindings explicitly using your view-state's <binder> element. Only what is declared can be bound. That's pretty simple to do, and is documented in the reference manual since 2008. That's for fixed binding rules. Now, allowing the set of bindings to vary dynamically based on security context is not supported out of the box, but a request for this feature hasn't been raised before AFAIK, either. In any case, it's doable by providing a custom ViewFactory that creates Views with a custom processUserEvent operation.
With Spring MVC, simply restrict bindings using DataBinder.setAllowedFields in a @Controller @InitBinder callback. Alternatively, use PresentationModel-style DTOs instead of binding to internal, and more complex domain objects directly. Finally, it's also possible to restrict binding to a domain object simply by not defining a public setter for a non-editable field.
Security is obviously an important topic. What I and the rest of the community would find most beneficial would be requests for and discussions about concrete improvements in this area.
Last edited by Keith Donald; Jan 22nd, 2010 at 09:41 AM.
Core Spring Development Team