Note that there are potential security implications in failing to set an array of allowed fields. In the case of HTTP form POST data for example, malicious clients can attempt to subvert an application by supplying values for fields or properties that do not exist on the form. In some cases this could lead to illegal data being set on command objects or their nested objects. For this reason, it is highly recommended to specify the {@link #setAllowedFields allowedFields} propertyon the DataBinder.
The binding results can be examined via the {@link BindingResult} interface,extending the {@link Errors} interface: see the {@link #getBindingResult()} method.Missing fields and property access exceptions will be converted to {@link FieldError FieldErrors}, collected in the Errors instance, using the following error codes:
By default, binding errors get resolved through the {@link BindingErrorProcessor}strategy, processing for missing fields and property access exceptions: see the {@link #setBindingErrorProcessor} method. You can override the default strategyif needed, for example to generate different error codes.
Custom validation errors can be added afterwards. You will typically want to resolve such error codes into proper user-visible error messages; this can be achieved through resolving each error via a {@link org.springframework.context.MessageSource}, which is able to resolve an {@link ObjectError}/ {@link FieldError} through its{@link org.springframework.context.MessageSource#getMessage(org.springframework.context.MessageSourceResolvable,java.util.Locale)}method. The list of message codes can be customized through the {@link MessageCodesResolver}strategy: see the {@link #setMessageCodesResolver} method. {@link DefaultMessageCodesResolver}'s javadoc states details on the default resolution rules.
This generic data binder can be used in any kind of environment. It is typically used by Spring web MVC controllers, via the web-specific subclasses {@link org.springframework.web.bind.ServletRequestDataBinder}and {@link org.springframework.web.portlet.bind.PortletRequestDataBinder}. @author Rod Johnson @author Juergen Hoeller @author Rob Harrop @see #setAllowedFields @see #setRequiredFields @see #registerCustomEditor @see #setMessageCodesResolver @see #setBindingErrorProcessor @see #bind @see #getBindingResult @see DefaultMessageCodesResolver @see DefaultBindingErrorProcessor @see org.springframework.context.MessageSource @see org.springframework.web.bind.ServletRequestDataBinder
|
|
|
|
|
|
|
|
|
|