播放框架2(Java)具有嵌套的允许字段的表单数据绑定

本文介绍了播放框架2(Java)具有嵌套的允许字段的表单数据绑定的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

考虑以下模型:

public class Contact {

  @Required
  public String name;

  @Valid
  public List<Information> informations;

  }

  public static class Information {

    public String securedField;

    @Required
    public String email;

    @Valid
    public List<Phone> phones;

    public static class Phone {

      @Required
      @Pattern(value = "[0-9.+]+", message = "A valid phone number is required")
      public String number;
    }

  }

}

我不希望Information securedField受质量分配漏洞的影响.因此，我决定为Contact Form设置allowedFields数组.

I don't want Information securedField to be affected by mass assignment vulnerability. So i decided to set array of allowedFields for Contact Form.

据我所知，播放表单基于Spring DataBinder ，因此可以处理集合字段吗?我不想写这样的东西:

As i know, play forms are based on Spring DataBinder, so is it possible to handle collection fields? I don't want to write smth like:

名称
信息[0].电子邮件
信息[0].电话*
信息[1].电子邮件
信息[1].电话*
等

以下操作无效:

名称
informations.email
informations.phones *

在这种情况下，我应该扩展现有的Spring DataBinder和Form类并覆盖bind方法吗?

Should i extend existing Spring DataBinder and Form classes and override bind method in this case?

推荐答案

这是一个可能更简单的解决方案.如何定义一个额外的约束，如果POST数据包含任何informations[%d].securedField值，该约束将触发验证失败?

Here's an arguably simpler solution. How about defining an extra constraint that will trigger a validation failure if the POST data contains any informations[%d].securedField values?

import javax.validation.constraints.Null;

public static class Information {

    @Null
    public String securedField;

    ...

}

我认为，这种方式可以调用默认的bindFromRequest方法，而不是接受表单字段名称白名单的方法，并且仍然可以防止大规模分配攻击.

I think that this way you can call the default bindFromRequest method instead of the one that accepts a whitelist of form field names, and still be protected against a mass assignment attack.

公认的是，这种方法的一个缺点是，如果发生大规模的集体任务攻击，它最终将泄漏您内部字段的名称.但是，如果他们的名字相当平淡无味，例如securedField(无意冒犯！)，我不确定攻击者如何利用此信息.

One shortcoming with this approach admittedly is that it would ultimately leak the names of your internal fields in the event of a concerted mass assignment attack. However if they had fairly bland, meaningless names such as securedField (no offence intended!), I'm not sure how this information could be exploited by an attacker.

如果您想允许基于当前用户类型分配给该字段，那么bean验证组可能会有所帮助:

If you want to allow assignment to the field based on the current user type, maybe bean validation groups could help:

import javax.validation.constraints.Null;

public class Contact {

    public interface Administrator {}

    public interface User {}

    ...

    public class Information {

        @Null(groups = User.class)
        public String securedField;

        ...

    }

}

控制器代码

...
final Form<Contact> contactForm;
if (currentUser.isAdministrator()) {
    contactForm = form(Contact.class, Administrator.class).bindFromRequest();
} else {
    contactForm = form(Contact.class, User.class).bindFromRequest();
}
...

这篇关于播放框架2(Java)具有嵌套的允许字段的表单数据绑定的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！

MASS