如何修复质量分配：java中的不安全的Binder配置（API滥用，结构） [英] How to fix Mass Assignment: Insecure Binder Configuration (API Abuse, Structural) in java

问题描述

我有一个Controller类，其中包含以下两种查找医生的方法（上下文已更改）。获得两个方法的
质量分配：不安全的Binder配置（API滥用，结构）错误。

I have a Controller class with the below two methods for finding a doctors (context changed). Getting the Mass Assignment: Insecure Binder Configuration (API Abuse, Structural) error on both methods.

@Controller
@RequestMapping(value = "/findDocSearch")
public class Controller {

    @Autowired
    private IFindDocService findDocService;

    @RequestMapping(value = "/byName", method = RequestMethod.GET)
    @ResponseBody
    public List<FindDocDTO> findDocByName(FindDocBean bean) {
        return findDocService.retrieveDocByName(bean.getName());
    }

    @RequestMapping(value = "/byLoc", method = RequestMethod.GET)
    @ResponseBody
    public List<FindDocDTO> findDocByLocation(FindDocBean bean) {
        return findDocService.retrieveDocByZipCode(bean.getZipcode(),
        bean.getDistance());
    }
}

我的Bean是：

public class FindDocBean implements Serializable {
    private static final long serialVersionUID = -1212xxxL;

    private String name;
    private String zipcode;
    private int distance;

    @Override
    public String toString() {
        return String.format("FindDocBean[name: %s, zipcode:%s, distance:%s]",
                name, zipcode, distance);
    }

    public String getName() {
        return name;
    }

    public void setName(String name) {
        this.name = name;
    }

    public String getZipcode() {
        return zipcode;
    }

    public void setZipcode(String zipcode) {
        this.zipcode = zipcode;
    }

    public int getDistance() {
        return distance;
    }

    public void setDistance(int distance) {
        this.distance = distance;
    }

根据目前为止发现的所有建议，他们建议限制豆子所需参数仅限于以下内容：

As per all the suggestions found so far, they are suggesting to restrict the bean with required parameters only by something like below :

final String[] DISALLOWED_FIELDS = new String[]{"bean.name", "bean.zipcode", };

@InitBinder
public void initBinder(WebDataBinder binder) {
    binder.setDisallowedFields(DISALLOWED_FIELDS);

但我的问题是bean的所有3个参数都将用于提供的任何一个方法控制器。

But my problem is all the 3 parameters of the bean will be used in either of the method supplied on Controller.

有人可以为此建议一些解决方案。在此先感谢。

Can someone please suggest some solution for this. Thanks in advance.

推荐答案

InitBinder可用于方法。你可以试试这个。

InitBinder can be used for methods. You can try this.

@InitBinder("findDocByName")
public void initBinderByName(WebDataBinder binder) {
    binder.setDisallowedFields(new String[]{"distance","zipcode"});
}


@InitBinder("findDocByLocation")
public void initBinderByZipCode(WebDataBinder binder) {
    binder.setDisallowedFields(new String[]{"distance","name"});
}

这篇关于如何修复质量分配：java中的不安全的Binder配置（API滥用，结构）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！