问题
I am starting a new project with Spring Roo. I have found that the MVC controllers that it generates are vulnerable to mass assignment. I wonder if there is a standard way to allow only certain fields from being updated. I am thinking about using @InitBinder, but I don't know if it is the best approach.
I have the impression that this issue and CSRF prevention are overlooked in most of the Java EE frameworks that I know. Even worse, these vulnerabilities are often found even in their own sample code.
Side note: I already know HDIV, but I don't want to "uglify" my nice REST URLs except for CSRF prevention.
回答1:
There is no nice solution to this problem, options:
- create form or DTO objects that have fields for only what is in the form (but that will not work well with spring roo)
- use 2 instances of the object, the form instance and the database instance, then copy only the fields that were in the form page from the form instance to the db instance
This article here could be used to help solve the mass assignment problem: http://blog.42.nl/articles/leveraging-the-spring-mvc-3.1-handlermethodargumentresolver-interface/
来源:https://stackoverflow.com/questions/11565342/prevent-mass-assignment-in-spring-mvc-with-roo