File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Struts and the fly likes Struts 2 + Spring: how to protect application objects from parameters Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Struts 2 + Spring: how to protect application objects from parameters" Watch "Struts 2 + Spring: how to protect application objects from parameters" New topic
Author

Struts 2 + Spring: how to protect application objects from parameters

Dan Dormont
Greenhorn

Joined: Dec 17, 2008
Posts: 3
I am building an application using Struts 2 and Spring. I have accessors in my Action class autowired to Spring managed objects: either session scope (like the current user) or application (like some configuration details). I use these objects in my Action methods themselves, but I also want them available in the view, so I put getters for them in the action class.

Since I also use the params interceptor, this means that a malicious user could modify these objects using a very trivial



I thought if I used ModelDriven it would help: the params would only get mapped into the model object, not the action. But I guess I misunderstood how the value stack works. I could also remove my getConfigObj() method, but then how would I expose the object to the view?

I would appreciate any suggestions.
[ December 17, 2008: Message edited by: Dan Dormont ]
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

If they're in scope you don't need to expose them via accessors; they're available under the #session and #application OGNL vars (explicit) or #attr (searches scopes).

You can also disallow parameters from requests via the "params" interceptor per-action or per-package.
[ December 17, 2008: Message edited by: David Newton ]
Dan Dormont
Greenhorn

Joined: Dec 17, 2008
Posts: 3
Thanks for the quick response.

Originally posted by David Newton:
[QB]If they're in scope you don't need to expose them via accessors; they're available under the #session and #application OGNL vars (explicit) or #attr (searches scopes).


True, I could do that. But I'm planning to use JSP EL where I can (to cut down on tags and keep the code cleaner) and as I understood the docs # isn't supported there. Also the Spring-managed objects aren't in those scopes per se as I understand it, so I'd have to write code to add them in there, which seems clunky.


You can also disallow parameters from requests via the "params" interceptor per-action or per-package.


I'm a little nervous about the security implications on that one after reading this thread: thread especially since I may have some of these objects that are common and others that are action- or package-specific so I'd have to be very careful.
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

AFAIK there was a patch committed in August that deals with this issue.

That aside, Spring beans scoped in web scopes *are* in the actual scope (at least session-scoped beans, which is the only webapp scope I've used Spring for).

For example, if you define a user bean in Spring as a session scope bean it'll be in session scope whether or not it's used in a Struts action--it works no matter what framework you're using. Obviously scoped beans are available via JSP EL as well.

Bear in mind also that S2 value-stack based objects are also available via JSP EL: S2 has a request wrapper that will look for beans first on the value stack, and if not found, will then use the normal scope-based attribute lookup.
Dan Dormont
Greenhorn

Joined: Dec 17, 2008
Posts: 3
I experimented a little more and discovered that as you said session-scope beans automatically show up in the action context and can be queried in the view. No need for the action class itself to expose them. Great!

So my question now is simply how to do the same with (certain) singleton-scope beans created by Spring.
[ December 18, 2008: Message edited by: Dan Dormont ]
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Struts 2 + Spring: how to protect application objects from parameters