Of course it is that easy. =)  How did I miss this?  Thanks a ton!

On Thu, Mar 25, 2010 at 11:31 AM, Iwao AVE! <harawata@gmail.com> wrote:
Hi,

Because it's easier for beginners, I guess.
You can use @StrictBinding to avoid unintended binding.

http://stripes.sourceforge.net/docs/current/javadoc/net/sourceforge/stripes/action/StrictBinding.html

Regards,
Iwao

on 10/03/26 3:13 Caine Lai said the following:
> I've been using Stripes for a couple of years now and love it.  However,
> I have recently been thinking about some security problems with binding
> directly into a domain model in action beans.  The problem is that
> Stripes will bind to properties even if there is no @Validate annotation
> on a field.
>
> Imagine the following domain object, simplified for demonstration purposes:
>
> public class User {
>
>       private String role, email;
>
>       public void setRole(String role) { this.role = role; }
>
>       public String getRole() { return this.role }
>
>       public void setEmail(String email) { this.email= email; }
>
>       public String getEmail() { return this.email }
> }
>
> Now in my action bean, I use a user object for an update form and define
> some validators to it:
>
> @ValidateNestedProperties({
>          @Validate(field = "email", required = true, maxlength =
> ModelConstants.EMAIL_MAX_LENGTH, converter=EmailTypeConverter.class),
> })
> private User user;
>
> public Resolution update() {
>       user.merge();
> }
>
> Now if I am a regular user with the "USER" role, I can request the
> following url:
> http://www.someserver.com/context/action_mapping/update?user.email=someemail@somedomain.com&role=ADMIN
> <http://www.someserver.com/context/action_mapping/update?user.email=someemail@somedomain.com&role=ADMIN>
>
> Now even though I do not specify a validator on the role field, Stripes
> will still bind to that field and the user has just elevated their
> privileges to ADMIN.  Again, simplified example but this could pose all
> kinds of security holes and problems in an application.
>
> Is there a reason Stripes binds to properties even when there is no
> validator or type converter defined on the property?


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users