BeanFactoryPostProcessor to read the
configuration metadata and potentially change it before the container instantiates
any beans other than BeanFactoryPostProcessors." Sounds harmless, but is the worst I've found so far: Using
BeanFactoryPostProcessor one can change any property of any bean.The concrete
BeanFactoryPostProcessor implementation does not have to refer to the beans it modifies and can be added to the config with a single XML element, that does not refer to BeanFactoryPostProcessor. In other words, one can really fuck up any application with under 10 lines of Java & XML, in a way that is very hard to detect.
Keine Kommentare:
Kommentar veröffentlichen