Added Security Features
One of Stripes' strengths is its ability to map complex Java objects to parameters in the HTML view. However, if misused, this capability can risk unwanted manipulation of the values in the backend. Imagine a banking application, for example. You certainly want to show customer their balances, but want them to be able to manipulate these values only through very controlled processes such as verifiable deposits or transfers (i.e., not by pasting a new and higher value into their URL). The Stripes team has added the @StrictBinding
annotation to let you restrict binding to only those properties that you want the end user to be able to change.
Stripes 1.5 also adds support for transparent encryption of variables, which makes URLs in your application less susceptible to manipulation. Just set your own encryption key in the web.xml file's Stripes.EncryptionKey initialization parameter, and then mark up any parameters you want encrypted using the @Validate annotation in your ActionBean. Those parameters are encrypted and written into Stripes' form, link, and URL tags for display. These values are then decrypted on the return trip to the ActionBean, validated, and finally, bound to their target properties-all automatically.
The following is an example of encrypting an ActionBean property with the Validate annotation:
private Contact contact = new Contact();
You can create your own encryption key in the web.xml file as follows:
Finally, the Stripes team has encrypted the _sourcePage parameterthe breadcrumb placed in all Stripes formswhich is used to return viewers to their previous views when errors occur. This is one more way that sensitive internal workings of a Stripes application can be abstracted.