Java Reference
In-Depth Information
Chapter 14
It's a Dangerous World:
Adding Security
They say that the only way to be completely, absolutely, positively, 100
percent sure that a web application is secure is by not putting it on
the Web. But that's no fun. So, let's give it our best shot to secure the
webmail application.
Stripes has a few mechanisms for controlling what data goes in and out
of an application. Validation and type conversion already provide some
control to protect our model and database. But that's not enough. We
need to account for security issues by thinking about what a malicious
user might do to wreck our application and by putting up appropriate
lines of defense.
14.1
Controlling Parameter Binding
One area concerning security is parameter binding. Even if we decide
which parameters are sent in the forms and links of an application, it
doesn't prevent users from tacking on additional parameters in URLs or
in faked-out forms. We can use a few techniques to prevent parameters
from being bound to properties.
Using @Validate(ignore=true)
By default, when a request is made to an action bean with a parameter
someName=someValue
, Stripes attempts to set the
someName
property,
either directly or via a setter method.
Search WWH ::
Custom Search