在Spring中使用setAllowedFields()方法 [英] Using the setAllowedFields() method in Spring
问题描述
我正在使用Spring 3.2.0.我已经为一些基本需求注册了一些自定义属性编辑器,如下所示.
I'm using Spring 3.2.0. I have registered a few custom property editors for some basic needs as follows.
import editors.DateTimeEditor;
import editors.StrictNumberFormatEditor;
import java.math.RoundingMode;
import java.net.URL;
import java.text.DecimalFormat;
import java.text.NumberFormat;
import org.joda.time.DateTime;
import org.springframework.beans.propertyeditors.StringTrimmerEditor;
import org.springframework.beans.propertyeditors.URLEditor;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.InitBinder;
import org.springframework.web.context.request.WebRequest;
@ControllerAdvice
public final class GlobalDataBinder
{
@InitBinder
public void initBinder(WebDataBinder binder, WebRequest request)
{
binder.setIgnoreInvalidFields(true);
binder.setIgnoreUnknownFields(true);
//binder.setAllowedFields(someArray);
NumberFormat numberFormat=DecimalFormat.getInstance();
numberFormat.setGroupingUsed(false);
numberFormat.setMaximumFractionDigits(2);
numberFormat.setRoundingMode(RoundingMode.HALF_UP);
binder.registerCustomEditor(DateTime.class, new DateTimeEditor("MM/dd/yyyy HH:mm:ss", true));
binder.registerCustomEditor(Double.class, new StrictNumberFormatEditor(Double.class, numberFormat, true));
binder.registerCustomEditor(String.class, new StringTrimmerEditor(true));
binder.registerCustomEditor(URL.class, new URLEditor());
}
}
到目前为止,我已经注册了这么多编辑器.通过覆盖各自的方法来满足数字格式和 Joda的自定义需求,已对其中的两个DateTimeEditor和StrictNumberFormatEditor进行了自定义. -时间.
I have this many editors registered so far. Two of them DateTimeEditor and StrictNumberFormatEditor have been customized by overriding respective methods to fulfill custom needs of number format and Joda-Time.
Since I'm using Spring 3.2.0, I can take advantage of @ControllerAdvice.
Spring recommends to list a set of allowed fields with the setAllowedFields() method so that malicious users can not inject values into bound objects.
从 docs 关于DataBinder
活页夹,用于将属性值设置到目标对象上, 包括对验证和绑定结果分析的支持.这 可以通过指定允许的字段来自定义绑定过程, 必填字段,自定义编辑器等.
Binder that allows for setting property values onto a target object, including support for validation and binding result analysis. The binding process can be customized through specifying allowed fields, required fields, custom editors, etc.
请注意,如果无法设置,可能会带来安全隐患 允许字段的数组.如果是HTTP形式的POST数据, 例如,恶意客户端可以尝试通过以下方式破坏应用程序 为不存在的字段或属性提供值 形式.在某些情况下,这可能导致设置非法数据 命令对象或其嵌套对象.因此,高度 建议指定
Note that there are potential security implications in failing to set
an array of allowed fields. In the case of HTTP form POST data for
example, malicious clients can attempt to subvert an application by
supplying values for fields or properties that do not exist on the
form. In some cases this could lead to illegal data being set on
command objects or their nested objects. For this reason, it is highly
recommended to specify the allowedFields property on the DataBinder.
I have a big application and obviously there are thousands of fields. Specifying and listing all of them with the setAllowedFields() is a tedious job. Additionally, somehow I need to remember them.
Changing a web page to remove some fields or add additional fields as the need arises again requires to modify the parameter value of the setAllowedFields() method to reflect those changes.
还有其他选择吗?
推荐答案
您可以使用setDisallowedFields()列入黑名单,而不是使用setAllowedFields()列入白名单.例如,从petclinic示例应用程序中:
Instead of using setAllowedFields() to white-list, you can use setDisallowedFields() to black-list. For example, from the petclinic sample application:
@InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
dataBinder.setDisallowedFields("id");
}
从纯粹的安全角度考虑,白名单优于黑名单,但它可能会减轻一些负担.
From a pure security standpoint white-listing is preferred to black-listing, but it maybe help ease the burden some.
这篇关于在Spring中使用setAllowedFields()方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
