I am using Spring 3.2 and I am looking for a way that I can force controllers to specify which attributes allowed to be bound, so malicious users can not inject values into bound objects.
Spring recommends using setAllowedFields() to white-list / setDisallowedFields() to black-list.
Instead of doing manually this white-list, I want to do this dinamically, so I want to bound that attributes that are visible on the form.
So is it possible to get this white-list? Is there any way that I can get the visible attributes on the form?
Thanks.
You could implement a
RequestDataValueProcessorespecially the methodprocessFormFieldValue. You could construct a collection of allowed field names, store this in the session.Next you would extend the
ConfigurableWebBindingInitializerand override theinitBindermethod. Which would retrieve the collection and pre-configure theWebDataBinderthere.And finally you would need some configuration to wire everything together.
Links
RequestDataValueProcessorjavadocConfigurableWebBindingInitializerjavadoc