Bean and Object Converters
Two converters that not enabled by default are the Bean and Object converters. The Bean converter will convert POJOs into JavaScript associative arrays and back again. This converter is not enabled by default because DWR make sure that is has permission before it touches any of your code.
The Object converter is similar except that it work on object members directly rather than through getters and setters. All the examples below work using 'object' in place of 'bean' to use direct member access.
If you have a bean that you have remoted using a <create ...> statement, where one of the parameters is a bean with a setter that has some nasty side effects, then it would be possible for an attacker to cause the nasty side effects to happen.
You can enable the bean converter for a single class using the following:
<convert converter="bean" match="your.full.package.BeanName"/>
To allow conversion of any class in the given package, or sub package:
<convert converter="bean" match="your.full.package.*"/>
The obvious extension to this is that you can blanket allow conversion of all Java Beans using the following:
<convert converter="bean" match="*"/>
BeanConverter and the JavaBeans Spec.
Beans converted using the BeanConverter need to follow the JavaBeans spec because the converter uses Introspection and not Reflection. This means things like having properly named getters and setters where there is a single parameter to the setter which matches the return type of the getter. The setter should return void, the getter should not have any parameters and there is no overloading of setters. Mostly this is common sense, but if does trip some people up. If you can't be a JavaBean then you need the ObjectConverter.
Setting up Javascript variables
DWR will convert Javascript objects (aka maps, aka associative arrays) into Java beans or Java objects.
A quick example may help. Suppose you have the following Java code:
public class Remoted {
public void setPerson(Person p) {
// ...
}
}
public class Person {
public void setName(String name) { ... }
public void setAge(int age) { ... }
// ...
}
If Remoted was configured as a Creator, and Person is convertable using the BeanConverter, then you can call the Java code as follows:
var p = { name:"Fred", age:21 };
Remoted.setPerson(p);
Restricting Property Conversion
Just as you have exclude and include for creators to instruct DWR to exclude methods, there is a similar system for converters.
Since restricting property conversion only makes sense for Beans (clearly primitive types don't need restrictions on conversion of their properties) this functionality is specific to BeanConverter and anything that inherits from it (like HibernateBeanConverter)
The syntax is like this:
<convert converter="bean" match="com.example.Fred"> <param name="exclude" value="property1, property2"/> </convert>
This will ensure that DWR does not call fred.getProperty1() and fred.getProperty2. Alternatively if you prefer to white-list rather than black-list you can do the following:
<convert converter="bean" match="com.example.Fred"> <param name="include" value="property1, property2"/> </convert>
Good security design commonly involves white-listing rather than black-listing.
Private Members of Objects
In addition to the parameters above the 'object' converter has a force parameter that instructs DWR to use reflection modifiers to access private members of objects.
The syntax is like this:
<convert converter="object" match="com.example.Fred"> <param name="force" value="true"/> </convert>
There is a bug in DWR up to version 1.1.3 where it failed to detect if a field is public properly, so you may need to use force=true for public members prior at version 1.1.3 or before.
