Spring MVC vulnerabilites

This actually has been advised on Spring Source a while back.
Or you can check it out at http://www.ouncelabs.com/resources/126-two_security_vulnerabilities_in_the_spring_frameworks_mvc.

I want to mention one of the issues here:
To prevent unintentionally data binding, Spring suggests you to set which fields are allowed to be bound or edited using @InitBinder or the like.

Quote:
@Controller - Use the @InitBinder annotation to inject a WebDataBinder into a method used to configure it explicitly. Call setAllowedFields(String []) to restrict the fields allowed for that Controller class. If the set of allowedFields needs to vary per handler method, have your @InitBinder method accept a HttpServletRequest and key off the current request mapping.
--

The only thing I don't like is you have to specify form field names one by one or some regular expression to match multiple. It's quite tedious if there are a lot of fields!

Plus, if you rename any of your form fields, don't forget to change it here as well. Otherwise, you might be pulling your hair out wondering why some data are bound and some are not!