问题描述
我正在使用Spring 3.2.0.我已经为一些基本需求注册了一些自定义属性编辑器,如下所示.
I'm using Spring 3.2.0. I have registered a few custom property editors for some basic needs as follows.
import editors.DateTimeEditor;
import editors.StrictNumberFormatEditor;
import java.math.RoundingMode;
import java.net.URL;
import java.text.DecimalFormat;
import java.text.NumberFormat;
import org.joda.time.DateTime;
import org.springframework.beans.propertyeditors.StringTrimmerEditor;
import org.springframework.beans.propertyeditors.URLEditor;
import org.springframework.web.bind.WebDataBinder;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.InitBinder;
import org.springframework.web.context.request.WebRequest;
@ControllerAdvice
public final class GlobalDataBinder
{
@InitBinder
public void initBinder(WebDataBinder binder, WebRequest request)
{
binder.setIgnoreInvalidFields(true);
binder.setIgnoreUnknownFields(true);
//binder.setAllowedFields(someArray);
NumberFormat numberFormat=DecimalFormat.getInstance();
numberFormat.setGroupingUsed(false);
numberFormat.setMaximumFractionDigits(2);
numberFormat.setRoundingMode(RoundingMode.HALF_UP);
binder.registerCustomEditor(DateTime.class, new DateTimeEditor("MM/dd/yyyy HH:mm:ss", true));
binder.registerCustomEditor(Double.class, new StrictNumberFormatEditor(Double.class, numberFormat, true));
binder.registerCustomEditor(String.class, new StringTrimmerEditor(true));
binder.registerCustomEditor(URL.class, new URLEditor());
}
}
到目前为止,我已经注册了这么多编辑器.通过覆盖各自的方法来满足数字格式和 Joda的自定义需求,已对其中的两个DateTimeEditor
和StrictNumberFormatEditor
进行了自定义. -时间.
I have this many editors registered so far. Two of them DateTimeEditor
and StrictNumberFormatEditor
have been customized by overriding respective methods to fulfill custom needs of number format and Joda-Time.
由于我使用的是Spring 3.2.0,因此可以利用 @ControllerAdvice
.
Since I'm using Spring 3.2.0, I can take advantage of @ControllerAdvice
.
Spring建议使用 setAllowedFields()
方法,以便恶意用户无法将值注入绑定的对象中.
Spring recommends to list a set of allowed fields with the setAllowedFields()
method so that malicious users can not inject values into bound objects.
从 docs 关于DataBinder
请注意,如果无法设置,可能会带来安全隐患 允许字段的数组.如果是HTTP形式的POST数据, 例如,恶意客户端可以尝试通过以下方式破坏应用程序 为不存在的字段或属性提供值 形式.在某些情况下,这可能导致设置非法数据 命令对象或其嵌套对象.因此,高度 建议指定 allowedFields
属性.
Note that there are potential security implications in failing to set an array of allowed fields. In the case of HTTP form POST data for example, malicious clients can attempt to subvert an application by supplying values for fields or properties that do not exist on the form. In some cases this could lead to illegal data being set on command objects or their nested objects. For this reason, it is highly recommended to specify the allowedFields
property on the DataBinder.
我的应用程序很大,显然有数千个字段.使用 setAllowedFields()
是一项繁琐的工作.此外,我需要以某种方式记住它们.
I have a big application and obviously there are thousands of fields. Specifying and listing all of them with the setAllowedFields()
is a tedious job. Additionally, somehow I need to remember them.
要再次更改网页以删除某些字段或添加其他字段,需要修改 setAllowedFields()
方法来反映这些更改.
Changing a web page to remove some fields or add additional fields as the need arises again requires to modify the parameter value of the setAllowedFields()
method to reflect those changes.
还有其他选择吗?
推荐答案
您可以使用setDisallowedFields()
列入黑名单,而不是使用setAllowedFields()
列入白名单.例如,从petclinic示例应用程序中:
Instead of using setAllowedFields()
to white-list, you can use setDisallowedFields()
to black-list. For example, from the petclinic sample application:
@InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
dataBinder.setDisallowedFields("id");
}
从纯粹的安全角度考虑,白名单优于黑名单,但它可能会减轻一些负担.
From a pure security standpoint white-listing is preferred to black-listing, but it maybe help ease the burden some.
这篇关于在Spring中使用setAllowedFields()方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!