Using the setAllowedFields() method in Spring

Question

I\'m using Spring 3.2.0. I have registered a few custom property editors for some basic needs as follows.

import editors.DateTimeEditor;
import edito         


        

Answer 1

Instead of using setAllowedFields() to white-list, you can use setDisallowedFields() to black-list. For example, from the petclinic sample application:

@InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
    dataBinder.setDisallowedFields("id");
}

From a pure security standpoint white-listing is preferred to black-listing, but it maybe help ease the burden some.